The SEC (Securities and Exchange Commission) has charged the software company SolarWinds and its CISO (chief information security officer), Timothy G. Brown, with fraud and internal control failures relating to its cybersecurity practices.
In a press release dated October 30, the SEC said that from the company’s IPO (initial public offering) in October 2018 until December 2020, when it revealed that it had been the victim of a cyber attack, SolarWinds had defrauded investors by overstating its cybersecurity practices and downplaying the risks it faced.
The attack, known as SUNBURST, compromised the company’s Orion IT monitoring and management software, enabling the attackers, the Russian nation-state group Nobelium, to push malicious updates to SolarWinds customers, affecting tens of thousands of organizations, including the U.S. government. It was one of the biggest supply-chain attacks ever recorded.
However, according to the SEC, the company’s SEC filings “allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
“Not very secure”
According to the SEC, an internal SolarWinds presentation in 2018 by a company engineer warned that its remote access set-up was “not very secure” and that anyone who breached it could “basically do whatever without us detecting it until it’s too late.”
In 2020, while investigating a cyberattack on a SolarWinds customer, Brown himself wrote that the company’s “backends are not that resilient.”
Despite these concerns, the SEC alleges, Brown “failed to resolve the issues or, at times, sufficiently raise them further within the company” as a result of which “the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.”
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said:
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
New SEC cybersecurity disclosure rules
The SEC has introduced new rules on cybersecurity disclosures, which begin to apply from December 15 this year.
The new rules require organizations to disclose certain information about their cybersecurity risk management, strategy and governance, as well as disclosing material cybersecurity incidents.
Free webinar: An Introduction to the SEC Cybersecurity Disclosure Rules
Join William Gamble on Thursday, November 30 at 11:00 am (EST) for a free webinar about the new SEC rules.
- Get an overview of the SEC’s proposed rules and their significance
- Determine if your organization falls under the SEC’s jurisdiction
- Understand the compliance requirements for listed companies
- Get an in-depth examination of current laws, including:
- Disclosure requirements and materiality
- 10 B 5 implications
- Previous cyber incidents, hacks, and vulnerabilities
- Identify and address compliance challenges emerging from compliance issues