SEC alleges SolarWinds and key executive misled investors about cybersecurity prior to 'massive' cyberattack

Important Points

SolarWinds has been targeted by a hacker group with Russian backing in one of the most serious cyber-espionage cases in U.S. History.

The Securities and Exchange Commission filed a lawsuit alleging that the cybersecurity firm SolarWinds was hacked by a Russian hacking group, and had committed fraud and not maintained adequate internal controls in the years leading up to the attack.

The lawsuit, filed on Monday, names SolarWinds Chief Information Security Officer Tim Brown and alleges the company overstated their cybersecurity practices and underestimated known vulnerabilities within the company's system.

SolarWinds' shares fell 1.5% on Tuesday.

In a recent press release, SEC enforcement director Gurbir Grewal stated that "We allege for years, SolarWinds, and Brown, ignored repeated red-flags about SolarWinds cyber risks which were known to the entire company."

SolarWinds was publicly listed in 2018 and only made "generic disclosures" about cybersecurity risks in its prospectus as well as in subsequent filings. This is what the complaint stated. The SEC claimed that SolarWinds knew its cybersecurity practices were poor, and pointed to an internal presentation by Brown made in the month SolarWinds was publicly listed.

Brown wrote that SolarWinds "current security state leaves us in an extremely vulnerable state" in the presentation. The SEC complaint included numerous internal emails that discussed the alleged false claims made by SolarWinds, as well as material risks within its cybersecurity systems and products "riddled with vulnerabilities".

This is one of the very first instances that the SEC has accused a company of misleading and defrauding investors about cybersecurity risks.

Orion, SolarWinds’ "crown jewel", is used to manage technology and I.T. In 2019, it was compromised by an aligned Russian group called Nobelium, a hack which remained undetected for most of 2020.

SEC claimed that the myriad vulnerabilities, which the company knew about, were not acknowledged in its regulatory disclosures. Some of these vulnerabilities led directly to the Russian-backed hacking of Orion.

In a message from 2020, an employee of information security allegedly told a manager that he couldn't figure out how to fix the flaws with their Orion flagship product. The complaint cites this message. Solarwinds acknowledged the hack by filing a regulatory disclosure in December 2020. This was a month after an employee had allegedly emailed their manager. Brown and other executives drafted the filing, which was signed by SolarWinds’ then-CEO Kevin Thompson.

The SEC claimed that SolarWinds failed to disclose, despite admitting the hack, that the vulnerability exploited by the Russian hackers had been used to target other SolarWinds clients, including two unnamed cyber-security firms and a federal agency that was not named.

The 68-page lawsuit accuses Brown and the company of misleading investors by falsely claiming SolarWinds' password policy was strong and that SolarWinds maintained strong access controls, while maintaining "weak controls" that allowed employees to access administrative functions "regularly and widely."

The complaint also cited alleged misstatements made by Brown who is still SolarWinds CISO. Brown, who was still SolarWinds' CISO in 2019, allegedly claimed on numerous occasions that the company "focused" its efforts on "hygiene", "cyberbest practices", and podcasts from 2019 to 2020. The SEC claimed that Brown was aware of the fact that the company did not follow these best practices.

The SEC stated in its complaint that "a reasonable investor would have thought it important to be aware of the true security status of SolarWinds, particularly regarding the Company's control over access to 'information systems,' and sensitive data.'"

The lawsuit comes at a time when major corporations are preparing for a new rule on cyber disclosure that will require companies to disclose cybersecurity incidents within days of their discovery. In the wake of major breaches that affected corporations such as Clorox and MGM Resorts, regulators have started to pay more attention to hacks.

In a Monday statement, the company stated that it believes the SEC is pursuing "a misguided enforcement action against us." SolarWinds filed the same statement with the SEC.

SolarWinds CEO Sudhakar Ramakrishna said in a filing that the company had maintained adequate cybersecurity controls before the hack, and since then has been leading the way to continuously improve enterprise software security by implementing evolving industry standards.

SolarWinds' spokesperson stated in a press release that the SEC charges were unfounded, and they will be challenged in court. The company stated that it has been working with the SEC since three years ago and emphasized its full support for Brown, who will remain as SolarWinds CISO.

In a CNBC statement, Brown's lawyer Alec Koch stated that Brown had worked "responsibly and tirelessly" to improve the cybersecurity posture of the Company during his tenure at SolarWinds. We look forward to defending Brown's reputation and correcting any inaccuracies contained in the SEC complaint.