- Key business and technology industry stakeholders filed amicus briefs in the U.S. District Court for the Southern District of New York Friday backin a motion to dismiss the Securities and Exchange Commission’s civil fraud lawsuit against SolarWinds.
- The U.S. Chamber of Commerce and the Business Roundtable said the SEC has expanded its interpretation of the internal accounting controls provisions of the Foreign Corrupt Practices Act well beyond the original intent of Congress, in a court filing.
- A separate group of 20 former national security and law enforcement officials, including former National Cyber Director Chris Inglis and former Acting National Cyber Director Kemba Walden, urged the court to consider whether the SEC case would make companies reluctant to come forward with urgent threat intelligence.
The SEC filed civil charges against SolarWinds and CISO Tim Brown in October alleging the company misled investors about the true nature of its cybersecurity posture, starting in 2018 when SolarWinds went public and leading up to a supply chain attack by a cyber-espionage group linked to Russia.
SolarWinds allegedly failed to disclose known risks to investors, according to the SEC lawsuit. The agency could potentially ban Brown from holding future executive positions at a publicly traded company.
More than 20 current and former CISOs, along with other industry organizations, warned the allegations against Brown would undermine some of the core functions of information security officers and leave companies at risk of attack, if they were forced to publicly disclose security vulnerabilities, in a brief filed Friday.
The CISO group included current and former officials from major companies, including Salesforce, Exelon, Clorox, Blackstone and Activision Blizzard.
In a separate brief, The Software Alliance, also known as BSA, said the SEC action would force companies to publicly disclose software vulnerabilities that could make them more vulnerable to malicious attacks.
SolarWinds, which filed a motion to dismiss the case in January, said the concerns raised by industry officials reflect some of the fundamental risks stemming from the SEC case.
“We are grateful for the thoughtful amicus briefs filed by a wide range of stakeholders, which highlight that the SEC’s positions in this case are not only unsupported by the law but raise serious security concerns for companies, CISOs, and the public at large,” said Serrin Turner, a partner at Latham & Watkins, which represents SolarWinds, in a statement. ”We remain confident that SolarWinds’ disclosures at all times were appropriate, and the SEC’s assertions otherwise are fundamentally flawed.”
The SEC declined to comment on the briefs and pointed to its public filings and prior statements when the case was originally filed.