SolarWinds breach and the 2023 SEC lawsuit
Resources and Links for the book Cyberlaw: Law for Digital Spaces and Information Systems, by John Bandler

By John Bandler

This page has resources relating to this case, which I discuss in my book on Cyberlaw, and wrote about in two articles on Reuters.

Looking to navigate to another place?

SolarWinds breach and the 2023 SEC lawsuit

This webpage is a way to make certain case documents and citations easily available for students, those reading my book, and anyone else researching this. This gets you started, now you can go further in your learning and research.

The Solar Winds case is a civil case (not a criminal case), brought by the U.S. Securities and Exchange Commission (SEC) in federal court.

My 2025 book on cyberlaw discusses this case in Chapter 31 (Cybersecurity and data protection).

"In the Solar Winds case, the SEC took the position that false public statements about cybersecurity violated ... investor protection [laws and] regulations, and they brought a civil lawsuit against the company and their chief information security officer (CISO)." Bandler, Cyberlaw: Law for Digital Spaces and Information Systems, (2025) p. 353 (Ch 31).

I also wrote about this in my November 2023 Reuters article:

"SolarWinds Corporation offers a network monitoring software called Orion which was used by tens of thousands of companies to manage their own networks. SolarWinds was breached as early as January 2019 and then the cyber attackers compromised the Orion software around December 2020. This infected software was downloaded and used by SolarWinds customers giving attackers free roam of customer networks, a compromise not detected for many months." Bandler, SolarWinds and the SEC lawsuit, Reuters Legal News, Nov 21, 2023 (link at bottom).

I wrote about this again in my April 2025 Reuters article:

"The Securities and Exchange Commission (SEC) lawsuit against SolarWinds is a cautionary tale suggesting diligence for all statements about cybersecurity, no matter the audience."  Bandler, Statements about cybersecurity: A duty of accuracy or a license for puffery?, Reuters Legal News, April 14, 2025 (link at bottom).

I am speaking about the SolarWinds case April 2025 at RSAC 2025, titled "The SolarWinds CISO Litigation and What It Means for Your InfoSec Program - [LAW-T02]", https://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1727552046840001CrGG

Major chronological steps and court documents

Remember this is a pending litigation between two (or more) sides. Each side has their own version of the facts and the law. A complaint is just an allegation, then the other side often denies the claims. Some of these chronological steps may be in dispute.

Throughout the entire period, cybersecurity and operations continue, and management and employees are making many statements, assertions, and communications about cybersecurity. Relevant questions include:

  • What was the cybersecurity posture and controls of SolarWinds?
    • Was that cybersecurity reasonable?
  • What statements were made about SolarWinds' cybersecurity posture and controls?
    • Who were statements made to? (internal, external, etc)
    • Were those statements accurate.?

Here is my chronology:

  • 1999 SolarWinds founded
  • 2009 SolarWinds does first initial public offering (IPO) becoming a public company. Public companies (publicly traded shares) fall under securities laws, regulated by the SEC.
  • 2016 SolarWinds becomes privately owned.
  • Late 2017, SolarWinds posts a security statement online. The SEC alleges this statement contained materially false and misleading statements, that some employees viewed it as "aspirational" rather than fact, and that it contained inaccuracies contradicted by other internal statements, by the lack of security controls, and as evidenced by the data breach.
    • Note: Following the the decision of 7/2024, the allegations relating to this security statement are pending.
  • 2018-1, SolarWinds was not following a software secure development lifecycle (SDL) despite public statements to the contrary.
  • 2018-10 SolarWinds goes public again (second IPO).
  • 2019-9 (estimated), cyber attackers (attributed by many to the Russian Foreign Intelligence Service or those acting under their direction) gain unauthorized access to SolarWinds network, their Orion software, and to all of their client networks.
  • 2020-7, SolarWinds internal concern over specific vulnerabilities with Orion software, and a specific event with a specific customer.
  • 2020-10, Evidence of a potential breach with another customer (Palo Alto Networks), involving Orion software.
  • 2020-11-05, communications externally and internally regarding Palo Alto Networks suspicious activity.
  • 2020-12, FireEye discloses that they were a victim of the attack. Thousands of SolarWinds customers affected, including U.S. government (Department of Homeland Security, Department of State, Department of Commerce, Department of Treasury, etc.), all via SolarWinds platform.
  • Side note: 2022-10-28, SolarWinds agrees to settle a shareholder class-action lawsuit for $26 million (final hearing and judgement issued on July 28, 2023)
    • Shareholders can sue the company they own stock in by alleging the corporation's management (directors, officers, etc.) breach their duties to serve and make decisions in the best interests of the company and owners. These suits can be a direct suit against the individuals or a derivative suit on behalf of the company. See Cornell LII link below.
    • A separate shareholder’s derivative lawsuit was dismissed on jurisdictional grounds, and that dismissal was upheld on appeal.
  • 2022-10-28, Wells notice (intent to file an enforcement action) sent to SolarWinds by the SEC
  • 2023-06-23, Wells notice sent to SolarWinds’ CEO and CISO by the SEC
  • 2023-10-30, Civil complaint: SEC v. SolarWinds and CISO, 2023-10-30 SEC vs SolarWinds Complaint (hosted here) (the SEC's civil complaint against SolarWinds Corp and their CISO Timothy Brown alleging violations of civil laws that SEC enforces/regulates)
  • 2023/10/30, SEC Press Release, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures, https://www.sec.gov/news/press-release/2023-227
  • 2023/10/31, SEC Litigation Release, SolarWinds Corporation and Timothy G. Brown, https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25887
  • 2023/10/30, SolarWinds statement about the SEC complaint, of 10/30/2023, https://orangematter.solarwinds.com/2023/10/30/transparency-information-sharing-and-collaboration/
  • 2024-02-16, Amended complaint filed, SEC v. SolarWinds, 2024-02-16 SEC vs SolarWinds Amended Complaint (hosted here)
  • 2024-03-22, SolarWinds and CISO make motion to dismiss, 2024-03-22 SolarWinds Motion-to-Dismiss
  • 2024-07-18, Court decision, 2024-07-18 SEC vs SolarWinds Opinion Order (hosted here) (trial court decision by federal Judge Paul Engelmayer of the Southern District of New York which dismissed much of the SEC's case, but not all of it. It remains to be seen how this litigation will resolve)
  • 2025-2, Agreement for SolarWinds acquisition by Turn/River Capital
  • 2025-4-16 Turn/River Capital completes acquisition of SolarWinds (now a private company, not a public company)
  • Subsequent actions?
    • With a new administration, certain SEC regulatory actions will be affected.

Primary statutes

SEC basics

The Securities and Exchange Commission (SEC) is a regulator for public companies with an important goal of protecting investors and healthy markets. One aspect of investor protection is trying to ensure they have accurate information.

The SEC says, “We make markets work better. Founded to help our country respond to the Great Depression, we’re the agency that protects investors from misconduct, promotes fairness & efficiency in the securities markets, and facilitates capital formation for those looking to hire, innovate, and grow.”  See SEC homepage, https://www.sec.gov/

SolarWinds basics

SolarWinds is a cybersecurity company, their network monitoring product "Orion" was breached, allowing attackers in to customer systems.

The claims (causes of action, claims for relief) in the SEC civil complaints

Both the original complaint (10/30/2023) and the amended complaint (2/16/2024) from the SEC have ten claims (causes of action) which are are the same in both the original complaint and the amended complaint.

Some claims are against both SolarWinds and Brown, some are against just one of them.

  • First Claim for Relief (SolarWinds and Brown), violation of Securities Act Section 17(a),  15 U.S.C. §77(q)(a), alleging untrue statements of a material fact, or omitting material facts necessary... and transactions, practices, course of business which would be a fraud or deceit on purchasers of the stock.
  • Second Claim for Relief (Brown), , violation of Securities Act Section 17(a),  15 U.S.C. §77(q)(a),
  • Third Claim for Relief (SolarWinds and Brown), violation of Exchange Act Section 10(b), 15.U.S.C. §78(j-2),  untrue statements of a material fact or omitted to state one or more material facts necessary
  • Fourth Claim for Relief (Brown) violation of Exchange Act Section 10(b), 15.U.S.C. §78(j)(2)
  • Fifth Claim for Relief (SolarWinds), violation of Exchange Act Section 13(a), 15 U.S.C. §78(m-1)
  • Sixth Claim for Relief (Brown), violation of Exchange Act Section 13(a), 15 U.S.C. §78(m-1)
  • Seventh Claim for Relief (SolarWinds), violation of Exchange Act Section 13(b)(2)(B), 15 U.S.C. § 78m(b)(2)(B).
  • Eighth Claim for Relief (Brown), violation of Exchange Act Section 13(b)(2)(B), 15 U.S.C. § 78m(b)(2)(B).
  • Ninth Claim for Relief (SolarWinds), violation of Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15(a)
  • Tenth Claim for Relief (Brown), violation of Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15(a)

Links to the statutes and regulations cited above

Someday I might link to each individual statute, but they are not pleasant reads. You are better off just reading the complaint which cites and quotes them.

Or find them online starting here:

SEC Jurisdiction and venue authority

Other legal links

Articles

Other

Cyberlaw book links and information

This page is hosted at https://johnbandler.com/solarwinds-breach-and-2023-sec-lawsuit, copyright John Bandler, all rights reserved. No claim to the public legal documents filed.

Originally posted 12/04/2024.  Updated 4/21/2025.