Security News > 2023 > October > SolarWinds and CISO accused of fraud, control failures
The Securities and Exchange Commission announced charges against SolarWinds and its CISO, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed SUNBURST, SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.
As the complaint alleges, SolarWinds' public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds' remote access set-up was "Not very secure" and that someone exploiting the vulnerability "Can basically do whatever without us detecting it until it's too late," which could lead to "Major reputation and financial loss" for SolarWinds.
According to the SEC's complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was "Very concerning" that the attacker may have been looking to use SolarWinds' Orion software in larger attacks because "Our backends are not that resilient;" and a September 2020 internal document shared with Brown and others stated, "The volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve."
"Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information. Today's enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company's 'crown jewel' assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns."
The SEC's complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company's violations.
News URL
https://www.helpnetsecurity.com/2023/10/31/sec-solarwinds-ciso-accused-fraud-control-failures/