SEC accuses SolarWinds CISO of misleading investors before Russian cyberattack
The U.S. Securities and Exchange Commission (SEC) has filed charges against SolarWinds and their chief information security officer (CISO), Timothy Brown, for fraud and internal control failures. The charges allege that the company misled investors regarding their cybersecurity practices leading up to a cyberattack orchestrated by Russian hackers in 2019.
Key Takeaway
The SEC has charged SolarWinds and its CISO Timothy Brown with fraud for allegedly misleading investors about the company’s cybersecurity practices prior to a Russian cyberattack in 2019. The charges accuse SolarWinds of providing generic risks to investors while being aware of specific deficiencies in their security practices. Timothy Brown, the CISO, failed to address these risks adequately. The SEC’s enforcement action emphasizes the importance of implementing strong controls and transparently disclosing known concerns to investors.
Alleged Misleading of Investors by SolarWinds and Timothy Brown
The SEC claims that SolarWinds and Brown provided investors with generic and hypothetical risks, while being aware of specific deficiencies in the company’s security practices and the increasing risks involved. The complaint states that SolarWinds made claims about their security practices that contradicted internal assessments, and that Brown gave presentations highlighting the vulnerability of the company’s security practices.
However, the SEC asserts that Brown failed to sufficiently address these security risks or take actions to resolve them. Gurbir S. Grewal, the head of the SEC’s enforcement unit, stated that SolarWinds and Brown ignored warning signs, portraying a false picture of the company’s cybersecurity environment and depriving investors of accurate information.
The SolarWinds Cyberattack and Consequences
SolarWinds was targeted by a group of Russian government hackers associated with Russia’s foreign intelligence service. The attackers infiltrated SolarWinds’ network and inserted a backdoor in the code of their flagship Orion network management product. When SolarWinds pushed the compromised software to their customers as an update, the hackers gained access to countless networks, including those of private companies and federal agencies.
The cyberattack was discovered almost a year later, in 2020, revealing that multiple U.S. government departments, including NASA, Homeland Security, and the Department of Justice, were compromised. Additionally, security firm FireEye, as well as various tech companies, universities, and hospitals, fell victim to the breach.
SEC’s Warning and SolarWinds’ Response
In November 2022, the SEC informed SolarWinds of potential enforcement action in relation to the cyberattack, stating that the company’s cybersecurity disclosures and public statements were under investigation. SolarWinds’ former CEO, Kevin Thompson, faced criticism from U.S. lawmakers for blaming the weak password “solarwinds123” on a SolarWinds file server, which had been used for several years before being discovered by a security researcher. The SEC’s complaint highlights that this password did not meet the company’s publicly stated complexity requirements, thus contradicting their security statement.
SolarWinds’ CEO Sudhakar Ramakrishna reacted to the SEC’s action, labeling it as misguided and improper, and announcing the company’s intention to vigorously oppose the charges. Timothy Brown’s attorney, Alec Koch, expressed confidence in defending Brown’s reputation and correcting the inaccuracies alleged by the SEC.
As the case unfolds, it serves as a reminder to companies to be transparent in their cybersecurity practices and to provide investors with accurate and reliable information regarding potential risks.
