SolarWinds will contest a lawsuit brought by the Securities and Exchange Commission (SEC) against it and its chief information security officer (CISO) alleging fraud and internal control failures related to the software company’s cyberattack reported in 2020.
The SEC announced charges against SolarWinds and CISO Tim Brown on Monday for “defraud[ing] investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.” The agency is seeking permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer-and-director bar against Brown in its litigation.
A SolarWinds spokesperson said in an emailed statement the company was disappointed by the SEC’s lawsuit and “deeply concerned” the action puts national security at risk. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country,” the statement read.
Legal representatives for Brown at law firm King & Spalding said he has worked “tirelessly and responsibly” to improve cybersecurity at SolarWinds and looks forward to “defending his reputation and correcting the inaccuracies in the SEC’s complaint.”
The details: In December 2020, hackers backed by Russia were reported to have infiltrated SolarWinds, which provided network management software to hundreds of large companies and government agencies. It was determined the improper access might have started as early as January 2019, which the SEC cited in its complaint.
Beginning in 2018, SolarWinds and Brown were aware of significant weaknesses in the company’s cybersecurity systems that could be exploited, according to the SEC. Despite this knowledge, the company’s public statements about its cybersecurity practices and risks on its website and in regulatory filings “painted a starkly different picture from internal discussions and assessments,” the agency said, and presented cybersecurity risks as hypothetical at a time SolarWinds knew it had major vulnerabilities.
When SolarWinds disclosed it was the victim of an attack in 2020, its stock dropped significantly, causing harm to investors.
“[This] enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns,” said SEC Enforcement Director Gurbir Grewal in the agency’s press release.
Compliance considerations: Brown, who served as SolarWinds’ vice president of security and architecture before being named CISO in January 2021, was charged with aiding and abetting the company’s alleged violations of securities laws.
Brown signed subcertifications attesting to the adequacy of SolarWinds’ cybersecurity internal controls that the company’s executives relied on when submitting regulatory filings to the SEC, according to the agency.
The SEC faulted Brown for not resolving the apparent long-running cybersecurity issues at SolarWinds, including his alleged failure to ensure senior executives were “sufficiently aware of, or understood, the severity of cybersecurity risks, failings, and issues that he and others knew about.”