On July 18, 2024, Judge Paul Engelmayer of the Southern District of New York dismissed nearly all of the Securities and Exchange Commission's case against SolarWinds and its Chief Information Security Officer, Timothy Brown — but he let one claim stand: that the company's public "Security Statement" was materially false and misleading. The ruling is a securities-law decision about a public company, not a government-contracting case. But its core lesson reaches every organization that makes public representations about its security posture, contractors included.
The Background
The case grew out of the 2020 Sunburst attack, one of the most consequential supply-chain compromises in history: roughly 18,000 SolarWinds customers — including U.S. government agencies — received a compromised Orion software update, though the company later said fewer than 100 were actually exploited. The SEC issued a Wells notice in June 2023 and filed suit in October 2023, accusing SolarWinds and Brown of misleading investors about the company's cybersecurity before and after the breach. It was the SEC's most aggressive cybersecurity-disclosure action to date, and notable for naming the CISO personally.
What the Court Kept — and Threw Out
Judge Engelmayer "denied in part, but granted in large part" the motion to dismiss. What survived is the instructive part:
- Survived: the SEC's securities-fraud claim based on SolarWinds' "Security Statement" — a document posted in the company's website "Trust Center," written largely by the CISO starting in late 2017, describing the company's security practices. The court found it "viably pled as materially false and misleading in numerous respects."
- Dismissed: fraud and false-filing claims based on the company's other pre-attack statements and SEC filings; all post-Sunburst disclosure claims (the court called them reliant on "hindsight and speculation"); and the claims about internal accounting and disclosure controls.
In short: the boilerplate risk factors and the after-the-fact disclosures were not actionable — but a specific, public, detailed marketing-style assurance about security *was*.
Why Contractors Should Care
You are not a public company subject to SEC jurisdiction (unless you are). So why does this matter on a government-contracting site? Because the surviving theory is the same one running through the False Claims Act cases we cover: a concrete, specific representation about your security posture is legally operative, and overstating it carries liability. SolarWinds' "Security Statement" is the corporate cousin of a contractor's capability statement, trust-center page, SSP attestation, or SPRS score. The forum and the statute differ; the exposure created by saying more than you can back up does not.
Two further signals stand out. First, the court's willingness to let a claim against a named CISO proceed underscores that individual security leaders can be in the line of fire. Second, the dismissal of the *post-breach* disclosure claims gave the industry some relief — a trade group had warned the case could "chill" candid incident reporting — but it does not undo the core holding about pre-breach assurances.
What to Do With the Lesson
1. Inventory your public security claims. Trust-center pages, marketing assurances, proposal language, and certifications are all representations. Treat them as legal documents. 2. Make them defensible and specific-only-where-true. Vague aspiration is safer than concrete claims you cannot evidence; concrete claims you *can* evidence are safest of all. 3. Align the words to the controls. If your Security Statement says you do X, your environment and documentation should show X. 4. Protect your security leaders. Make sure the people who sign or draft security representations have the authority, budget, and accuracy to stand behind them.
Key Takeaways
- The July 18, 2024 ruling dismissed most of the SEC's SolarWinds case but sustained the claim that the company's public "Security Statement" was materially false — and let the claim against the CISO proceed.
- The durable lesson is cross-cutting: specific public representations about cybersecurity are legally operative, mirroring the False Claims Act theory in government contracting.
- Audit every security assurance you publish or certify, align it to your actual controls, and don't let anyone overstate what you can prove.
For the contracting analog, see our pieces on the Aerojet Rocketdyne $9M settlement and the Georgia Tech false-SPRS-score suit, and the Enforcement & Penalties overview.