SEC Files Charges Against SolarWinds and Its CISO for Fraudulent Cybersecurity Disclosures

The fallout from 2020’s massive SUNBURST cyberattack at SolarWinds continues. The U.S. Securities and Exchange Commission (SEC) filed charges against SolarWinds and its chief information security officer (CISO) Timothy G. Brown on 30 October for allegedly understating cybersecurity risks to stakeholders and missing numerous warning signs about potential threats.

“It is unusual for a company CISO to be named in SEC charges for non-disclosure,” CSO Online wrote. “The SolarWinds case could act as a pivotal point for the role of a CISO, transforming it into one that requires a lot more scrutiny and responsibility.”

The SEC alleges that Brown and the company misled investors by only disclosing generic and hypothetical risks, even though they allegedly knew of specific deficiencies in SolarWinds’ cybersecurity practices and increasingly elevated risks facing the company. The CISO’s statements to the board about cybersecurity were heavily relied on when filing periodic reports with the SEC about cybersecurity risks and controls, the complaint said.

“The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company,” according to an SEC press release. “As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.”

The SEC complaint noted that SolarWinds’ public statements about cybersecurity “painted a starkly different picture” from internal assessments about the company’s policy violations, vulnerabilities, and cyberattacks, and that the “true state of SolarWinds’ cybersecurity practices, controls, and risks ultimately came to light only following a massive cyberattack—which exploited some of SolarWinds’ poor cybersecurity practices—and which impacted thousands of SolarWinds’ customers.”

The company’s prior SEC filings lumped cyberattacks in a broad list of risks alongside natural disasters, power loss, fire, telecommunication failures, and employee theft, and it allegedly failed to address known cyber risks. Internal communications—including emails, messages, and documents—describe numerous known material cybersecurity risks and vulnerabilities that were not included in public disclosures, the SEC said.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement, as part of the press release. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In a statement after the SEC charges were publicly released, SolarWinds CEO Sudhakar Ramakrishna rebuffed the SEC filing, citing the rapid response to the SUNBURST breach discovery, which “is exactly what the U.S. government seeks to encourage.”

“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC,” he continued.

The SUNBURST attack isn’t the only reason for the SEC complaint; experts told VentureBeat that false statements about security would have violated securities law even if SolarWinds had not been hacked.

The U.S. Securities and Exchange Commission (SEC) adopted final rules Wednesday that require registrants to disclose material cybersecurity incidents within four business days and be more transparent about their cybersecurity posture. https://t.co/xLcxqc3Ind

— Security Management (@SecMgmtMag) July 28, 2023

The SEC is radically changing its approach to cybersecurity vulnerabilities and disclosures. A new rule was put in place this summer—becoming fully enforceable in December 2023—that requires registrants to report cyber incidents within four business days and be more transparent about their cybersecurity posture.

“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chair Gary Gensler in a statement. “Currently, many public companies provide cybersecurity disclosures to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Learn more about the SolarWinds breach and the attack’s ongoing effects on supply chain management, cyber espionage, and risk mitigation here.