Pair of court rulings have cybersecurity implications

A U.S. District Court judge has dismissed most of the charges the Securities and Exchange (SEC) brought against SolarWinds and CISO Tim Brown in the wake of the now infamous cyberattack that led to malware being injected into an IT service management (ITSM) platform from SolarWinds widely used by companies, government agencies, and IT services providers.

In October 2023, the SEC filed charges against both SolarWinds and Brown, accusing them of misleading investors about the strength of SolarWinds' cybersecurity measures and downplaying or not disclosing risks between 2017 and 2021. U.S. District Judge Paul Engelmayer in Manhattan, in a 107-page decision, said, however, the charges regarding disclosures made after the attack “do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation.”

That doesn’t mean the defendants are free and clear just yet. Engelmayer wrote that the SEC could move ahead with charges related to SolarWinds’ 2017 Security Statement, in which claims of strong cybersecurity policies and practices are alleged by the SEC to be “materially misleading and false.” Based on the pleadings, the company fell way short of even basic requirements of corporate cyber health,” the judge wrote. The SEC has yet to comment on the ruling but now has two weeks to address the remaining charges, which SolarWinds plans to continue to refute.

At the same time, other court proceedings might impact the SEC’s ability to “interpret” any rule that has not specifically been passed by Congress. The Supreme Court has cut back the power of any federal agency to interpret the laws they administer and ruled that lower courts should rely on their own interpretation of the law.

Specifically, the court overruled a landmark 1984 decision in Chevron v. Natural Resources Defense Council that created a precedent, referred to as the Chevron doctrine, that stipulates that if Congress has not directly addressed the question at the center of a dispute, a court was required to uphold an agency’s interpretation of the statute so long as it was reasonable. But in a 35-page ruling, the court has now determined that doctrine is “fundamentally misguided.” Naturally, that decision will likely have far-reaching implications that not only affect the SEC's operations but almost all compliance regulations ever enacted.

It might take a few years for all these legal proceedings to play out, but in the absence of a specific mandate from Congress, each court may have to interpret how any statute applies, with all the ensuing appeals that will inevitably follow.

Obviously, most cybersecurity professionals would prefer not to find themselves in a dock defending themselves from any charges. None of these rulings eliminate that prospect. They do, however, change the nature of the potential jeopardy faced. If the ruling in the SolarWinds case stands, the evidence of malfeasance will most likely need to include many more specifics. The Chevron ruling, meanwhile, means a court, rather than a federal agency, will determine if any allegation is actually warranted.

Either way, cybersecurity professionals need to ensure they are aware of their legal rights and obligations before signing off on any document that makes any claim about the current state of cybersecurity in their organization.