SEC claims SolarWinds misled investors about cyber practices before 2020 breach
The Securities and Exchange Commission filed fraud charges Monday against software company SolarWinds and its top security executive in a case related to a wide-reaching cyberattack in late 2020.
Why it matters: It's extremely rare for the SEC to charge a company over statements about its cybersecurity practices — even a company that has faced a cyberattack.
- The SEC is also charging Timothy Brown, SolarWinds' top security executive, with fraud — a decision that is sure to spark liability concerns among the security community.
Details: According to the SEC's complaint, SolarWinds and Brown allegedly presented misleading and false statements about the company's cybersecurity risks and practices from October 2018 to "at least" January 12, 2021.
- The SEC alleges these statements were made in IPO registration forms, a security statement posted to the company's website and a public 8-K filing made after the 2020 incident.
- In its security statement, the SEC claims SolarWinds overstated the security of its password policies and software development process, as well as its policies for determining who has access to what internal data.
- Similar misleading statements are found throughout SolarWinds' SEC filings during that time, the SEC alleges.
Catch up quick: SolarWinds received public attention in late 2020 when a cyber company then known as FireEye discovered that Russian state-backed hackers had broken into SolarWinds' IT systems and deployed malicious code into its software product updates.
- The incident — which went undiscovered for months and has been called the "most sophisticated attack ever" — affected roughly 100 companies and nine federal agencies.
What they're saying: "Today's enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company's 'crown jewel' assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns," said Gurbir Grewal, director of the SEC's enforcement division, said in a statement.
The other side: "We are disappointed by the SEC's unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk," a SolarWinds spokesperson said in a statement on Monday. "The SEC's determination to manufacture a claim against us and our CISO is another example of the agency's overreach and should alarm all public companies and committed cybersecurity professionals across the country."
- "We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments," the spokesperson added.
- Alec Koch, a lawyer representing Brown, said in a statement: "Tim Brown performed his responsibilities at SolarWinds...with diligence, integrity, and distinction. Mr. Brown has worked tirelessly and responsibly to continuously improve the company's cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC's complaint."
The big picture: The SEC's charges come as the agency is preparing to start enforcing its new cybersecurity rules next month among publicly traded companies.
- The rules require companies to disclose material cyber incidents within four business days and to share details about their cybersecurity programs in annual reports.
- However, many security executives have expressed concern over how the agency is going to use cyber incident disclosures — and whether the agency will use them to hold CISOs liable for cyberattacks.