SEC charges SolarWinds, CISO with fraud and internal control failures

WASHINGTON, D.C. – The Securities and Exchange Commission (SEC) announced charges against software company SolarWinds and its chief information security officer (CISO), Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

A release from the SEC makes note of the complaint which alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year-long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.

The SolarWinds incident involved authorities discovering that the SolarWinds program, a network monitoring software used by the federal government, was discovered to have a number of security vulnerabilities which led to cyber criminals selling access to the program’s infrastructure. SUNBURST would be followed by a second attack that would be dubbed “SUPERNOVA” that Microsoft discovered in 2020 while investigating supply chain attacks.

According to the SEC, SolarWinds filings during this period allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” Gurbir S. Grewal, director of the SEC’s Division of Enforcement said. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

SolarWinds’ public statements about its cybersecurity practices and risks did not match its internal assessments the complaint alleges, and the SEC cited a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.

In a condemnation of the CISO, the SEC said that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. Brown is accused of being aware of SolarWinds’ cybersecurity risks and vulnerabilities but failing to resolve the issues or raise them sufficiently further within the company.

SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month. Prior to this, insiders at SolarWinds sold roughly $280 million in stocks which have led to insider trading accusations, despite a company spokesperson’s claims that that those selling the stocks had been unaware of the attack at the time.

The SEC’s complaint alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

The full press release and complaint can be found online at www.sec.gov.