The SEC Files a Lawsuit Against SolarWinds and Their CISO
In a significant legal move, the U.S. Securities and Exchange Commission (SEC) has brought a lawsuit against IT management company SolarWinds, accusing it of fraud by overstating its cybersecurity measures and downplaying known system vulnerabilities for years leading up to the 2019 cyber-espionage incident perpetrated by a Russian-aligned hacking group.
The case, which also names SolarWinds’ Chief Information Security Officer Tim Brown, alleges that the company presented a misleading picture of its cyber defenses, which ultimately failed to prevent one of the most damaging espionage attacks on U.S. soil. This accusation sent SolarWinds’ stock tumbling by 1.5% following the news.
According to SEC Enforcement Director Gurbir Grewal, the company and Brown continually ignored warning signs of inadequate cybersecurity, which were common knowledge within the company’s ranks. The SEC’s complaint points to an internal presentation by Brown from the month of SolarWinds’ IPO in 2018, which starkly contrasted the public image the company projected about its cyber resilience.
The SEC’s documentation draws attention to internal emails and communications within SolarWinds that discuss known vulnerabilities and the discrepancy between the company’s public statements and the actual state of its cybersecurity, calling into question the integrity of their flagship Orion product – the very tool compromised in the 2019 hack by Nobelium.
This case appears to be a groundbreaking moment where the SEC is directly challenging a company for defrauding investors through false cybersecurity assurances. SolarWinds’ disclosures failed to mention several vulnerabilities, some of which were exploited in the Orion hack.
As revealed in the 68-page complaint, the company, despite acknowledging the cyberattack, did not fully disclose to investors that the exploited vulnerability had also been used to target other customers, including cybersecurity firms and a federal agency. The SEC criticizes SolarWinds for its claims of adhering to cybersecurity frameworks, alleging that the company maintained weak access controls and inadequate password policies for years.
Brown, in particular, is under scrutiny for allegedly asserting the company’s dedication to cyber hygiene and best practices in public statements, even though he was aware of the company’s shortcomings in these areas.
The SEC’s lawsuit emerges as regulatory bodies intensify their focus on cyber incidents and as new rules are being proposed that would mandate companies to report cybersecurity incidents promptly. This heightened scrutiny follows a series of high-profile breaches that have significantly impacted a range of corporations.
In response to the SEC’s charges, SolarWinds has expressed its intention to vigorously defend itself in court. The company has argued that it has always maintained adequate cybersecurity controls and has been a leader in enhancing software security standards. Supporting Brown, SolarWinds emphasizes his continuous efforts to improve the company’s cybersecurity landscape and challenges the claims laid out by the SEC.
As the legal proceedings unfold, this lawsuit against SolarWinds will be closely watched, not just for its outcome but for the precedent it may set regarding corporate cybersecurity responsibility and transparency.