In a surprising development on Monday that is spooking the cybersecurity community, the Securities and Exchange Commission (SEC) filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and known risks.
The charges stem from alleged fraud and internal control failures related to known cybersecurity weaknesses that took place between the company’s October 2018 initial public offering (IPO) and its December 2020 revelation of a sophisticated cyberattack dubbed “SUNBURST.”
The software supply chain cyberattack involved Russia-linked threat actors breaching SolarWinds systems in 2019, or possibly even earlier. The hackers compromised the automated build environment for the company’s Orion monitoring software, and in the spring of 2020 they pushed out malicious Orion updates to SolarWinds customers.
According to the complaint filed by the SEC, Austin, Texas-based SolarWinds and Brown are accused of deceiving investors by overstating the company’s cybersecurity practices while understating or failing to disclose known risks. The SEC alleges that SolarWinds misled investors by disclosing only vague and hypothetical risks while internally acknowledging specific cybersecurity deficiencies and escalating threats.
A key piece of evidence cited in the complaint is a 2018 internal presentation prepared by a SolarWinds engineer that was shared internally, including with Brown. The presentation stated that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to “major reputation and financial loss” for the company. Similarly, presentations by Brown in 2018 and 2019 indicated concerns about the company’s cybersecurity posture.
The SEC’s complaint also points to internal communications among SolarWinds employees, including Brown, in 2019 and 2020, which raised questions about the company’s ability to protect its critical assets from cyberattacks. In June 2020, Brown expressed concerns that an attacker may use SolarWinds’ software in larger attacks, noting that “our backends are not that resilient.” Additionally, a September 2020 internal document shared with Brown and others stated that “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”
The SEC alleges that despite being aware of these cybersecurity risks and vulnerabilities, Brown failed to address them adequately within the company. As a result, the company was unable to provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.
SolarWinds’ incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing resulted in a significant drop in the company’s stock price, falling approximately 25 percent over the next two days and approximately 35 percent by the end of the month.
Gurbir Grewal, Director of the SEC’s Division of Enforcement, stated, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company.’ Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The SEC’s complaint, filed in the Southern District of New York, charges SolarWinds and Brown with violating the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. SolarWinds is also accused of violating reporting and internal controls provisions of the Exchange Act, while Brown is alleged to have aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, claims the company did maintain appropriate cybersecurity controls prior to the SUNBURST incident and said the company will “vigorously oppose this action by the SEC.”
Ramakrishna sees it as alarming that the SEC “has now filed what we believe is a misguided and improper enforcement action” against the company, which he says is a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Ramakrishna noted in a blog post addressing the charges. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” a SolarWinds spokesperson told SecurityWeek. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
*Updated with statement from SolarWinds spokesperson.