The Securities and Exchange Commission (SEC) accused SolarWinds of fraud and failure to keep proper internal safeguards in place for a prolonged period of time. The IT firm was subject to an extensive cyber espionage campaign, allegedly sponsored by Russia, that has been one of the most damaging to American interests thus far.
The Securities and Exchange Commission (SEC) has alleged that prior to the Russian-backed hacking incident, information technology firm SolarWinds committed fraud and neglected to maintain suitable internal control measures. The suit also names the company's Chief Information Security Officer, Tim Brown, accusing SolarWinds of exaggerating its cybersecurity practices and not disclosing known vulnerabilities in its systems. In response, SolarWinds' shares dropped by 1.5%. Gurbir Grewal, head of SEC enforcement, stated that the company and Brown neglected to act on the "red flags" about SolarWinds' cyber risks.
The SEC has accused SolarWinds of not disclosing material risks at the time of its going public in 2018, as well as having knowledge of security weaknesses in its Orion software which was relied upon by various government organizations. Internal messages from the company have also been included in the complaint, with one employee reportedly saying that it was difficult to "unf**k" the security issues with the Orion product. Though the evasion was eventually acknowledged by SolarWinds in a regulatory filing in December 2020, it failed to advise that the hackers had targeted other customers, including two unnamed security companies and a federal agency.
According to the SEC's 68-page complaint, SolarWinds and Brown misled investors with regards to the compliance of cyber security frameworks, weak access controls that routinely granted administrative access to employees, and false claims of strong password policies. Brown has continued to be SolarWinds' CISO, and the SEC has made allegations regarding his public statements in 2019 and 2020 regarding the company's cyber best practices.
In response, SolarWinds has expressed its disagreement with the SEC's charges, and said it will contest them in court. The company expressed its support for Brown and said that its cybersecurity processes had followed evolving industry standards. The SEC's suit may be significant in light of new regulations that require companies to report cybersecurity incidents within a few days of discovery.
Comments