The U.S Securities and Exchange Commission (SEC) has initiated legal action against SolarWinds and its Chief Information Security Officer, Timothy Brown, alleging deception of investors and the public regarding risk disclosures.
According to the SEC, both the organization and its CISO overstated the effectiveness of SolarWinds’ cybersecurity measures and downplayed or omitted information about acknowledged threats during a notable cyberattack suffered by SolarWinds.
The lawsuit, filed in Manhattan federal court, accuses SolarWinds of violating the Securities Act of 1933 and the anti-fraud regulations of the Securities Exchange Act of 1934. The SEC is seeking a permanent injunction, monetary penalties for SolarWinds, and a ban on Timothy Brown from holding executive or directorial positions.
The legal action stems from the successful infiltration of SolarWinds’ internal systems by the APT29 threat group from Russia. This attack compromised the SolarWinds Orion IT management platform through builds released between March 2020 and June 2020. The compromised builds facilitated the introduction of the Sunburst backdoor into the systems of “less than 18,000” entities. The attackers selectively targeted a smaller subset of this group for further exploitation.
This cyberattack had widespread repercussions, affecting several prominent organizations in Corporate America and multiple U.S. government departments, including Defence, Justice, Commerce, Treasury, Homeland Security, State, and Energy. For a detailed chronology of events, refer to our comprehensive SolarWinds Cyber Attack Timeline.
An internal presentation by SolarWinds in 2018 reportedly acknowledged vulnerabilities in its remote access infrastructure, emphasizing potential significant reputational and financial implications.
By June 2020, Brown expressed concerns about a cyber attack on a SolarWinds client, suggesting the possibility of the Orion software being exploited for broader malicious activities. Despite being aware of these vulnerabilities, Brown allegedly did not take sufficient internal measures to address them. The SEC contends that even with Brown’s knowledge of distinct shortcomings in SolarWinds’ cybersecurity measures, the company only reported generalized risks in its documentation during that period.
Gurbir Grewal, director of the SEC’s Division of Enforcement, stated, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company.’ Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
In response, a SolarWinds spokesperson stated, “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
The SEC’s legal action against Timothy Brown is likely to raise concerns among Chief Information Security Officers (CISOs) globally, sparking a renewed debate on the personal liabilities associated with the CISO position. Questions around this issue, which gained attention when Uber’s CISO Joe Sullivan faced legal consequences last year, are expected to resurface. CISOs worldwide are likely reevaluating their cybersecurity response strategies, aiming to strike a balance between business goals and strategic security actions.
This emphasizes the critical importance of Incident Response & Preparation, a fundamental aspect of cybersecurity readiness and leadership. In the current threat landscape, where attacks are unavoidable, having a robust incident response plan becomes imperative. The SEC’s actions will likely drive increased engagement between boards and CISOs globally, prompting executive teams to prioritize a review of their cybersecurity posture and risks.
Immediate Recommendations:
Increased Focus on Transparency in Cybersecurity Reporting: Organizations should ensure that their cybersecurity practices and the reporting of these practices are transparent and accurate, avoiding the downplay of known risks or vulnerabilities.
Enhanced Organizational Accountability: This case serves as a reminder of the importance of accountability in cybersecurity, extending beyond the CISO to encompass the entire leadership team, including boards and senior management.
Reevaluation of Cybersecurity Strategies: In response to the evolving threat landscape, as exemplified by the SolarWinds incident, organizations should continually reevaluate and update their cybersecurity strategies to ensure they are robust and effective in addressing current and emerging threats.
Conclusion:
The SEC’s legal action against SolarWinds and Timothy Brown underscores the critical role of transparency and accountability in cybersecurity practices, especially in the context of investor and public trust. This case highlights the increasing scrutiny on how companies report cybersecurity risks and the actions of their CISOs. It serves as a cautionary tale for organizations and security professionals about the consequences of underestimating or misrepresenting cybersecurity threats.
In light of this case, organizations globally may need to reassess how they communicate their cybersecurity strategies and vulnerabilities. This could lead to a more nuanced understanding of the responsibilities of CISOs and the importance of candid risk disclosures. The SolarWinds incident also reinforces the need for robust cybersecurity measures and proactive approaches to address potential threats and vulnerabilities.
The SEC’s actions signify a shift towards greater accountability in cybersecurity, which may prompt companies to review and enhance their cybersecurity policies and practices. It is a reminder of the importance of ongoing vigilance and adaptation in the face of evolving cyber threats and the need for clear, honest communication about cybersecurity risks.