A federal judge on Thursday dismissed part of a landmark lawsuit by the government against SolarWinds and its chief cybersecurity officer over the software company's handling of a 2020 disclosed security breach that affected customers, including US government agencies.

The U.S. Securities and Exchange Commission sued the Austin, Texas-based company SolarWinds and its Chief Information Security Officer, Tim Brown, last year. The matter involved the depiction of the risk of a cyberattack prior to the security breach and the information provided to investors after the incident. It marked the first time the securities regulator took a public company, which had fallen victim to a cyberattack, to court over civil fraud allegations—the most severe charges available to the agency.

Some corporate groups and former prosecutors have criticized the SEC's enforcement actions against hacked companies, arguing that they hold the victims of the attacks, which are sometimes carried out by state-sponsored actors, responsible. The SEC argues that shareholders have a right to know how public companies respond to the risk of attacks, which often impact the company's stock price.

The assertion by the SEC that SolarWinds did not fully disclose the extent of the attack to shareholders was based on "hindsight and speculation," wrote U.S. District Judge Paul Engelmayer. However, the judge allowed the agency's lawsuit to proceed based on other statements made by SolarWinds before the attack regarding its cybersecurity measures and risks.

The USA later blamed state-supported Russian hackers for the attack. Moscow has denied any involvement.

A spokesperson for SolarWinds said the company is pleased with the judge's decision. "We look forward to the next phase, where we will have the opportunity for the first time to present our own evidence and show why the remaining claim is factually inaccurate," he said.

The SEC declined to comment.

The SolarWinds case was unusual in that it targeted a high-ranking cybersecurity manager.

Translation of the heading:

"Cybersecurity experts, trade associations, and executives expressed concerns that the lawsuit against Brown indicates that regulators are now prepared to target cybersecurity chiefs. The SEC lawsuit was filed shortly after the conviction of Joseph Sullivan, a former Chief Security Officer of Uber Technologies, for criminal obstruction related to his actions during the company's 2016 data breach, which fueled similar concerns.

David Shargel, a partner at the law firm Bracewell, said that the dismissal of part of the SEC's lawsuits was "a victory in every respect" for SolarWinds. Companies rarely win against SEC lawsuits so early in the process.

It remains definitely a serious accusation, and it serves as a reminder that companies must ensure that their public statements are accurate and not misleading," he said.

Since the lawsuit against SolarWinds, new SEC rules have come into effect regarding when and how companies must disclose cyberattacks. Publicly traded companies must report cyberattacks to the agency by filing an 8-K form no later than four business days after determining that the attack will have significant impacts on their business. Companies must also outline elements of their cyber risk management process in their annual reports.

It is noteworthy that Engelmayer also dismissed the SEC's claim that SolarWinds had violated rules requiring companies to protect against accounting errors. The judge stated that cybersecurity controls are not part of this process. "This interpretation is untenable," the judge wrote, stating that the controls clearly apply only to financial accounting.

I think this could provide some reassurance to compliance departments regarding the parameters of disclosure obligations," said Shargel.

SolarWinds had accused the agency in an earlier response to the lawsuit of wanting to expand its regulatory influence in the field of cyber.