SEC sues SolarWinds for fraud in security reports

The week didn’t start well for SolarWinds. Regulators at the Securities and Exchange Commission (SEC) accuse the company and its CISO, Tim Brown, of misleading investors about the company’s cybersecurity risks and practices by disclosing only generic and hypothetical risks, even though they knew about specific issues. In addition to financial penalties, the SEC is asking that Brown be prohibited from holding any executive position due to his role in the alleged misrepresentation of cybersecurity practices.

The SEC’s charges come almost three years after its SolarWinds monitoring system was hacked in an attack later attributed to Russian hackers. But its consequences have implications for the entire industry, says Jonathan Armstrong, a lawyer at Cordery Compliance, who advises security leaders to “beware”. “It’s a stark reminder that the responsibility to safeguard data and ensure transparency should never be neglected,” he said in an interview with Information Security Media Group.

Prior to this action, the SEC had never charged a public company with fraud based on data related to a cyberattack or its cybersecurity disclosures. The big concern now is whether the SEC – and others – will start holding CISOs accountable for breaches, forcing companies to be more judicious in disclosures regarding their cyber security programmes.

The expectation of many security professionals is that boards will start asking questions like: “How do we validate that the information we disclose about our cybersecurity program is accurate and complete?” and “Has any information come to our attention that contradicts the information we are disclosing?”

It’s worth remembering that the attack on SolarWinds’ product in 2020 culminated in one of the worst cyber espionage incidents in US history, affecting several of the country’s government and intelligence agencies. The SEC says that SolarWinds failed to maintain adequate internal controls for years and underestimated vulnerabilities. According to the text of the lawsuit, the software manufacturer, which went public in 2018, made only “generic” disclosures about cybersecurity risk in both its prospectus and ongoing filings.

The SEC lawsuit also cites several internal emails and messages that openly discussed alleged misrepresentations made by the company about material risks in its cybersecurity systems and products “riddled” with vulnerabilities.

“It is alarming that the SEC has filed what we believe to be a misguided and improper [lawsuit] against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” said SolarWinds President and CEO Sudhakar Ramakrishna in response to the charges in the lawsuit.

“We have made a deliberate choice to speak out, frankly and often, to share what we have learnt to help others become more secure. We’ve partnered closely with the government and encouraged other companies to be more open about security, sharing information and best practices,” he added, adding that “the SEC’s charges now jeopardise the open sharing of information that cybersecurity experts agree is necessary for collective security.”

It’s also worth remembering that this isn’t the first time SolarWinds has been sued over the hack discovered in December 2020. In 2021, two pension funds that invested in the company’s shares also sued its management for the same reasons alleged by the SEC. According to these funds, SolarWinds knew about the cyber risks even before the attack, but took no action, which created vulnerabilities in thousands of customer systems. This lawsuit named several current and former directors as defendants, as well as the company itself.