SolarWinds, CISO Facing SEC Charges in Connection with Massive Sunburst Attack

The U.S. Securities and Exchange Commission (SEC) has charged SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures in connection with the massive breach disclosed in late 2020.

In June, SolarWinds CEO Sudhakar Ramakrishna said his company planned to fight any enforcement action by the SEC. SolarWinds sent us the following statement regarding the SEC charges:

"We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our secure by design commitments."

The SEC complaint alleges that, from at least its October 2018 initial public offering (IPO) through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed Sunburst, SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.

Related:How SolarWinds' Massive Hack Upended Cybersecurity

In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only "generic and hypothetical" risks at a time when the company and Brown "knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time," the SEC said.

SEC Charges: Public Statements 'at Odds' with Internal Assessments

As the SEC charges allege, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.

Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient." In addition, a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have ... outstripped the capacity of engineering teams to resolve.”

Related:SolarWinds Hackers Strike Again, Targeting 150-Plus Organizations Mostly in the U.S.

The SEC charges allege Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities, but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.

Incomplete Disclosure

According to the SEC charges, SolarWinds made an incomplete disclosure about the Sunburst attack in a Dec. 14, 2020, Form 8-K filing, after which its stock price dropped approximately 25% over the next two days and approximately 35% by the end of the month.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude 'we’re so far from being a security-minded company,’” said Gurbir S. Grewal, director of the SEC’s division of enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

The SEC’s complaint, filed in the Southern District of New York, alleges SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934. SolarWinds allegedly violated reporting and internal controls provisions of the Exchange Act, and Brown allegedly aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.