Security News > 2023 > November > SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity

The SEC's cybersecurity-related capabilities were again questioned when SolarWinds addressed the allegations that it didn't follow the NIST Cybersecurity Framework at the time of the attack.

The thrust of the SEC's lawsuit concerns how the communication from and actions taken by the company and its CISO, Timothy G Brown, allegedly misled investors about its security practices and known risks, and there are claims SolarWinds did not directly address in its riposte.

"Even though Brown and/or other SolarWinds employees and executives knew about these risks, vulnerabilities, and attacks against SolarWinds' products, SolarWinds' cybersecurity risk disclosures did not disclose them in any way, either individually or by disclosing the increased risk they collectively posed to SolarWinds," the lawsuit read. As for matters related to the communication of its alleged security issues prior to SUNBURST becoming public knowledge, SolarWinds said its disclosures were "Accurate both before and after the attack."

As cybersecurity expert Jake Williams said, the SolarWinds case is likely to provide more power to CISOs in the future, regardless of the result.

"The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would," he said.

Rounding off its response, SolarWinds said the SEC's lawsuit "Threatens to harm security by pressuring companies to disclose sensitive security information in public filings."

News URL

https://go.theregister.com/feed/www.theregister.com/2023/11/09/solarwinds_sec_filing/