SolarWinds breach and the 2023 SEC lawsuit
Resources and Links for the book Cyberlaw: Law for Digital Spaces and Information Systems, by John Bandler

By John Bandler

This page has resources relating to this case, which I discuss in my book on Cyberlaw.

Looking to navigate to another place?

SolarWinds breach and the 2023 SEC lawsuit

This webpage is a way to make certain case documents and citations easily available for students, those reading my book, and anyone else researching this. This gets you started, now you can go further in your learning and research.

The Solar Winds case is a civil case (not a criminal case), brought by the U.S. Securities and Exchange Commission (SEC) in federal court.

My book discusses this case in Chapter 31 (Cybersecurity and data protection).

"In the Solar Winds case, the SEC took the position that false public statements about cybersecurity violated ... investor protection [laws and] regulations, and they brought a civil lawsuit against the company and their chief information security officer (CISO)." Cyberlaw: Law for Digital Spaces and Information Systems, (2025) p. 353 (Ch 31).

Major chronological steps and court document

  • 2019-9 (estimated), cyber attackers (attributed by many to the Russian Foreign Intelligence Service) gain unauthorized access to SolarWinds network, and thus to SolarWinds client networks.
  • 2020-12, FireEye discloses that they were a victim of the attack. Thousands of SolarWinds customers affected, including U.S. government (Department of Homeland Security, Department of State, Department of Commerce, Department of Treasury, etc.), all via SolarWinds platform.
  • Side note: 2022-10-28, SolarWinds agrees to settle a shareholder class-action lawsuit for $26 million (final hearing and judgement issued on July 28, 2023)
    • Shareholders can sue the company they own stock in by alleging the corporation's management (directors, officers, etc.) breach their duties to serve and make decisions in the best interests of the company and owners. These suits can be a direct suit against the individuals or a derivative suit on behalf of the company. See Cornell LII link below.
    • A separate shareholder’s derivative lawsuit was dismissed on jurisdictional grounds, and that dismissal was upheld on appeal.
  • 2022-10-28, Wells notice (intent to file an enforcement action) sent to SolarWinds by the SEC
  • 2023-06-23, Wells notice sent to SolarWinds’ CEO and CISO by the SEC
  • 2023-10-30, Civil complaint: SEC v. SolarWinds and CISO, 2023-10-30 SEC vs SolarWinds Complaint (hosted here) (the SEC's civil complaint against SolarWinds Corp and their CISO Timothy Brown alleging violations of civil laws that SEC enforces/regulates)
  • 2024-02-16, Amended complaint filed, SEC v. SolarWinds, 2024-02-16 SEC vs SolarWinds Amended Complaint (hosted here)
  • 2024-03-22, SolarWinds and CISO make motion to dismiss, 2024-03-22 SolarWinds Motion-to-Dismiss
  • 2024-07-18, Court decision, 2024-07-18 SEC vs SolarWinds Opinion Order (hosted here) (trial court decision by federal Judge Paul Engelmayer of the Southern District of New York which dismissed much of the SEC's case, but not all of it. It remains to be seen how this litigation will resolve)
  • 2025-2, Agreement for SolarWinds acquisition by Turn/River Capital
  • Subsequent actions?
    • With a new administration, certain SEC regulatory actions will be affected.

Primary statutes

SEC information

The SEC is a regulator for public companies with an important goal of protecting investors and healthy markets. One aspect of investor protection is trying to ensure they have accurate information.

The SEC says, “We make markets work better. Founded to help our country respond to the Great Depression, we’re the agency that protects investors from misconduct, promotes fairness & efficiency in the securities markets, and facilitates capital formation for those looking to hire, innovate, and grow.”  See SEC homepage, https://www.sec.gov/

SolarWinds and the breach

"SolarWinds Corporation offers a network monitoring software called Orion which was used by tens of thousands of companies to manage their own networks. SolarWinds was breached as early as January 2019 and then the cyber attackers compromised the Orion software around December 2020. This infected software was downloaded and used by SolarWinds customers giving attackers free roam of customer networks, a compromise not detected for many months." Bandler, SolarWinds and the SEC lawsuit, Reuters Legal News, 11/21/2023.

Articles

Other

The claims (causes of action, claims for relief) in the SEC civil complaints

Both the original complaint (10/30/2023) and the amended complaint (2/16/2024) from the SEC have ten claims (causes of action) which are are the same in both the original complaint and the amended complaint.

Some claims are against both SolarWinds and Brown, some are against just one of them.

  • First Claim for Relief (SolarWinds and Brown), violation of Securities Act Section 17(a),  15 U.S.C. §77(q)(a), alleging untrue statements of a material fact, or omitting material facts necessary... and transactions, practices, course of business which would be a fraud or deceit on purchasers of the stock.
  • Second Claim for Relief (Brown), , violation of Securities Act Section 17(a),  15 U.S.C. §77(q)(a),
  • Third Claim for Relief (SolarWinds and Brown), violation of Exchange Act Section 10(b), 15.U.S.C. §78(j-2),  untrue statements of a material fact or omitted to state one or more material facts necessary
  • Fourth Claim for Relief (Brown) violation of Exchange Act Section 10(b), 15.U.S.C. §78(j)(2)
  • Fifth Claim for Relief (SolarWinds), violation of Exchange Act Section 13(a), 15 U.S.C. §78(m-1)
  • Sixth Claim for Relief (Brown), violation of Exchange Act Section 13(a), 15 U.S.C. §78(m-1)
  • Seventh Claim for Relief (SolarWinds), violation of Exchange Act Section 13(b)(2)(B), 15 U.S.C. § 78m(b)(2)(B).
  • Eighth Claim for Relief (Brown), violation of Exchange Act Section 13(b)(2)(B), 15 U.S.C. § 78m(b)(2)(B).
  • Ninth Claim for Relief (SolarWinds), violation of Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15(a)
  • Tenth Claim for Relief (Brown), violation of Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15(a)

Links to the statutes and regulations cited above

Someday I might link to each individual statute, but they are not pleasant reads. You are better off just reading the complaint which cites and quotes them.

Or find them online starting here:

SEC Jurisdiction and venue authority

Other links

Cyberlaw book links and information

This page is hosted at https://johnbandler.com/solarwinds-breach-and-2023-sec-lawsuit, copyright John Bandler, all rights reserved. No claim to the public legal documents filed.

Originally posted 12/04/2024.  Updated 3/24/2025.