TechTaffy

tech:

taffy

SEC charges SolarWinds and its CISO with fraud over cybersecurity failures

By TechTaffy Desk

The U.S. Securities and Exchange Commission (SEC) has filed charges against Austin-based software firm SolarWinds and its chief information security officer, Timothy Brown.

This appears to be the first time that the SEC is suing a company for intent to deceive stakeholders regarding cybersecurity, as well as failure to build internal checks and balances for security. This is also the first time that the SEC has brought action against a chief information security officer (CISO) in a cybersecurity enforcement action.

The SEC’s allegations focus on misleading investors regarding the company’s cybersecurity measures and not disclosing known risks. These actions span nearly two years from the company’s initial public offering in October 2018 until the public announcement of a large-scale cyberattack in December 2020, named SUNBURST.

In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

According to the SEC’s complaint, SolarWinds’ public disclosures about its cybersecurity posture were inconsistent with internal evaluations. An internal report from 2018, prepared by an engineer, raised concerns about the company’s remote access security. The report was shared internally, including with Mr. Brown. The document highlighted that an attacker exploiting these vulnerabilities could go undetected, potentially causing severe financial and reputational damage to the company.

Additionally, presentations by Mr. Brown in 2018 and 2019 flagged the company’s weak state of security, particularly concerning access and privileges to critical systems. Several communications between SolarWinds employees between 2019 and 2020 questioned the company’s ability to secure its critical assets from cyberattacks.

The SEC complaint alleges that despite being aware of these issues, adequate steps were not taken to resolve them or escalate them within the organization. The inability to secure its key assets, including its flagship Orion product, resulted in a lack of reasonable assurances for its protection.

After SolarWinds disclosed the SUNBURST attack in a Form 8-K filing on December 14, 2020, the company’s stock price dropped by approximately 25% in the following two days and by around 35% by the end of the month.

The SEC’s lawsuit, filed in the Southern District of New York, seeks a variety of penalties against both SolarWinds and Mr. Brown, including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and a bar against Brown serving as an officer or director.

Just in

Series E

Corelight raises $150M

San Francisco-based network detection and response (NDR) company Corelight has raised $150 million in a Series E funding round.
AI

Anthropic introduces team plan, iOS app for Claude AI

Anthropic announced two updates for its AI assistant, Claude: a new Team plan and an iOS app.
Industry

Tencent, Mercedes-Benz, EA partner for in-car gaming

Tencent, Mercedes-Benz, and Electronic Arts (EA) announced their partnership at Auto China 2024 to bring in-car gaming to Mercedes-Benz vehicles in China.
AI

Amazon Q generative AI chatbot now generally available

Amazon Web Service (AWS) has announced the general availability of Amazon Q, a generative AI-powered assistant that leverages companies' internal data.
Fundings

Island raises $175M

Dallas, Texas-based enterprise browser company Island raised $175 million in Series D funding, raising the company's valuation to $3 billion.