Connect with us

Hi, what are you looking for?


CISO Strategy

SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures

The SEC filed charges against SolarWinds and its CISO over misleading investors about its cybersecurity practices and known risks.

SolarWinds CISO Charged

In a surprising development on Monday that is spooking the cybersecurity community, the Securities and Exchange Commission (SEC) filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and known risks.

The charges stem from alleged fraud and internal control failures related to known cybersecurity weaknesses that took place between the company’s October 2018 initial public offering (IPO) and its December 2020 revelation of a sophisticated cyberattack dubbed “SUNBURST.”

The software supply chain cyberattack involved Russia-linked threat actors breaching SolarWinds systems in 2019, or possibly even earlier. The hackers compromised the automated build environment for the company’s Orion monitoring software, and in the spring of 2020 they pushed out malicious Orion updates to SolarWinds customers.

According to the complaint filed by the SEC, Austin, Texas-based SolarWinds and Brown are accused of deceiving investors by overstating the company’s cybersecurity practices while understating or failing to disclose known risks. The SEC alleges that SolarWinds misled investors by disclosing only vague and hypothetical risks while internally acknowledging specific cybersecurity deficiencies and escalating threats.

A key piece of evidence cited in the complaint is a 2018 internal presentation prepared by a SolarWinds engineer that was shared internally, including with Brown. The presentation stated that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to “major reputation and financial loss” for the company. Similarly, presentations by Brown in 2018 and 2019 indicated concerns about the company’s cybersecurity posture.

The SEC’s complaint also points to internal communications among SolarWinds employees, including Brown, in 2019 and 2020, which raised questions about the company’s ability to protect its critical assets from cyberattacks. In June 2020, Brown expressed concerns that an attacker may use SolarWinds’ software in larger attacks, noting that “our backends are not that resilient.” Additionally, a September 2020 internal document shared with Brown and others stated that “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”

The SEC alleges that despite being aware of these cybersecurity risks and vulnerabilities, Brown failed to address them adequately within the company. As a result, the company was unable to provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.

SolarWinds’ incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing resulted in a significant drop in the company’s stock price, falling approximately 25 percent over the next two days and approximately 35 percent by the end of the month.

Advertisement. Scroll to continue reading.

Gurbir Grewal, Director of the SEC’s Division of Enforcement, stated, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company.’ Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The SEC’s complaint, filed in the Southern District of New York, charges SolarWinds and Brown with violating the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. SolarWinds is also accused of violating reporting and internal controls provisions of the Exchange Act, while Brown is alleged to have aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, claims the company did maintain appropriate cybersecurity controls prior to the SUNBURST incident and said the company will “vigorously oppose this action by the SEC.”

Ramakrishna sees it as alarming that the SEC “has now filed what we believe is a misguided and improper enforcement action” against the company, which he says is a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.

“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Ramakrishna noted in a blog post addressing the charges. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” a SolarWinds spokesperson told SecurityWeek. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”

*Updated with statement from SolarWinds spokesperson.

Related: Microsoft: SolarWinds Hackers Attempted to Access Our Systems Until January 2021

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Chief Information Security Officers from, FreedomPay, and Tassat about their role and experience as CISOs.

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Conversations

SecurityWeek talks to Dennis Kallelis (CSO at Idemia) and Jason Kees (CISO at Ping), two of industry’s identity giants. The idea, as always, is...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.