In a statement to The Register, Serrin Turner, an attorney at Latham and Watkins, which is representing SolarWinds, railed against the SEC's charges.
In late October, the SEC filed the legal complaint against SolarWinds alleging that the company and its CISO misled investors about its security practices as far back as October 2018.
This all culminated in the firm's December 2020 disclosure that its Orion networking tool had been backdoored and public and private customers had been compromised as a result of deploying the malicious code.
It was later determined by the US government that the culprits were Russian state-sponsored spies.
Around 18,000 organizations downloaded the poisoned software, although the number that were hacked by Russia's Cozy Bear was about 100.
These include Microsoft, Intel, FireEye and Cisco, as well as US government agencies including Treasury, Justice and Energy departments, and the Pentagon.
The SEC complains these disclosures were insufficient, asserting that companies must disclose detailed vulnerability information in their SEC filings.
That is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers.
The SEC did not respond to The Register's request for comment.
This Cyber News was published on go.theregister.com. Publication date: Mon, 29 Jan 2024 21:13:04 +0000