SolarWinds, CISO Targeted in SEC Lawsuit

The Securities and Exchange Commission (SEC) on Monday filed a lawsuit against SolarWinds and its CISO, Tim Brown, alleging fraud and that the company failed to maintain adequate internal controls in the years prior to a 2019 Russia-backed hack.

The suit claims the company overstated cybersecurity practices while understating its own cybersecurity vulnerabilities.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” Gurbir Grewal, SEC enforcement director, said in a release.

The 68-page complaint includes specific alleged misstatements by Brown, who is still acting as CISO. Nobelium, the codename for the Russia-aligned hacking group, in 2019 hacked SolarWinds’ Orion software, which numerous government agencies used. The hack was not made public until December 2020, a month after an employee discovered the attack. “Can’t really figure out how to unf**k this situation,” the employee said in a message sited in the SEC lawsuit.

The SEC alleges SolarWinds failed to disclose that the vulnerability was shared by other customers as well, including two unnamed cybersecurity firms and an unnamed federal agency. The breach was first detected by cybersecurity firm FireEye, which was also impacted.

Related:2020 SolarWinds Breach: Execs Face Potential SEC Legal Action

“A reasonable investor, considering whether to purchase or sell SolarWinds stock, would have considered it important to know the true state of SolarWinds’ security, especially regarding the state of the company’s access controls for ‘information systems’ and ‘sensitive data,’” the SEC complaint said.

SolarWinds shot back in a statement released to the public and filed with the SEC, which it said was pursuing “a misguided and improper enforcement action against us.”

“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST [the codename for the attack] and has led the way ever since in continuously improving enterprise software security based on evolving industry standards,” the filing, signed by SolarWinds CEO Sudhakar Ramakrishna, said.

A spokesperson for SolarWinds, in an email to InformationWeek, said, “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”

In a statement to CNBC, Brown’s attorney Alec Koch said, “Mr. Brown has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”

CISOs and other IT leaders, as well as the entire C-suite, should take note, says Igor Volovich, vice president for compliance strategy at Qmulos.

"The SEC’s investigation extending to SolarWinds’ CFO is a clear indication that accountability for cybersecurity and compliance doesn’t stop at the CISO’s desk; it’s a boardroom issue," he tells InformationWeek in an e-mail interview. "Every member of the executive team is responsible, and they need to be actively involved in ensuring the company’s security posture is robust and accurately reported. Let’s not ignore the fact that the SEC served Wells notices on both the CISO and the CFO. This is about trust, accountability, and the integrity of your entire organization. Misrepresenting your security posture doesn’t just harm your stakeholders; it undermines the very foundation of trust for your company. The SEC is not mincing words: security negligence coupled with inaccurate compliance reporting is tantamount to shareholder fraud."