The Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cybersecurity practices leading up to the Sunburst attack discovered in December 2020.
The SEC on Monday alleged the company overstated its cybersecurity practices and failed to disclose known risks from October 2018, when the company went public, up to at least the Sunburst attack.
Public statements from the company contradicted internal assessments, including a 2018 assessment by a company engineer, shared with Brown and others, showing the company’s remote access setup was “not very secure,” the SEC complaint said.
SEC officials allege SolarWinds and Brown ignored repeated red flag warning signs that put the company’s cybersecurity at risk.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber control environment, thereby depriving investors of accurate material information,” Gurbir Grewal, director of the SEC’s division of enforcement, said in a statement.
The complaint, filed in the Southern District of New York, alleges SolarWinds violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.
The SEC also alleges SolarWinds violated the reporting and internal controls provisions of the Exchange Act and Brown aided and abetted those violations.
The SEC is seeking permanent injunctive relief, disgorgement with prejudgment interest, civil penalties and to bar Brown from serving as an officer or director.
SolarWinds CEO Sudhakar Ramakrishna responded to the allegations in a blog post, calling the SEC charges “a misguided and improper enforcement action.” The company included the post in an 8-K regulatory filing with the SEC on Monday.
The charges against SolarWinds could have enormous implications for CISOs at companies nationwide, as the SEC increases scrutiny on C-suite executives.
“CISOs can only do what the rest of the organization — and other executives — permit them to do,” said Jeff Pollard, VP and principal analyst at Forrester, in an email. “This is partially the basis of the SEC action — in that it alleges the CISO failed to raise these issues and their severity to other leaders in the company.”
Pollard cautioned that if Brown raised concerns and was ignored by senior management, it appears he is being singled out.
Brown joined SolarWinds in 2017 as VP of security. He was later promoted to CISO in May 2021.
An internal document shared with Brown and others in September 2020 stated the volume of security issues "identified over the last month" outstripped the engineering team's capacity to resolve, according to the SEC.
SolarWinds also made an incomplete disclosure in a Dec. 14, 2020 filing on form 8-K, the SEC said. The company’s stock dropped by 25% over the next two days.
SolarWinds disputed the charges in a statement.
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” the company said in a statement. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country.”
The charges follow a notification the SEC sent in June that informed the company and Brown of possible action as a result of the investigation.