The U.S. Securities and Exchange Commission (SEC) has filed charges against Austin-based software firm SolarWinds and its chief information security officer, Timothy Brown.
This appears to be the first time that the SEC is suing a company for intent to deceive stakeholders regarding cybersecurity, as well as failure to build internal checks and balances for security. This is also the first time that the SEC has brought action against a chief information security officer (CISO) in a cybersecurity enforcement action.
The SEC’s allegations focus on misleading investors regarding the company’s cybersecurity measures and not disclosing known risks. These actions span nearly two years from the company’s initial public offering in October 2018 until the public announcement of a large-scale cyberattack in December 2020, named SUNBURST.
In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
According to the SEC’s complaint, SolarWinds’ public disclosures about its cybersecurity posture were inconsistent with internal evaluations. An internal report from 2018, prepared by an engineer, raised concerns about the company’s remote access security. The report was shared internally, including with Mr. Brown. The document highlighted that an attacker exploiting these vulnerabilities could go undetected, potentially causing severe financial and reputational damage to the company.
Additionally, presentations by Mr. Brown in 2018 and 2019 flagged the company’s weak state of security, particularly concerning access and privileges to critical systems. Several communications between SolarWinds employees between 2019 and 2020 questioned the company’s ability to secure its critical assets from cyberattacks.
The SEC complaint alleges that despite being aware of these issues, adequate steps were not taken to resolve them or escalate them within the organization. The inability to secure its key assets, including its flagship Orion product, resulted in a lack of reasonable assurances for its protection.
After SolarWinds disclosed the SUNBURST attack in a Form 8-K filing on December 14, 2020, the company’s stock price dropped by approximately 25% in the following two days and by around 35% by the end of the month.
The SEC’s lawsuit, filed in the Southern District of New York, seeks a variety of penalties against both SolarWinds and Mr. Brown, including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and a bar against Brown serving as an officer or director.