The Securities and Exchange Commission is making an example of SolarWinds by charging the company with defrauding investors for allegedly failing to stop a massive breach at the IT company and covering up its negligent cybersecurity practices.
The US regulator is also going after SolarWinds Chief Information Security Officer Tim Brown for presiding over the violations, which ensnared the US government in 2020.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said SEC Enforcement Director Gurbir Grewal in the announcement.
In 2020, SolarWinds suffered a data breach involving suspected Russian hackers who tampered with the company’s software products to distribute malware to customers, including US government agencies. The SEC now alleges SolarWinds could have prevented the breach, since executives were aware the company’s cybersecurity posture had been lackluster for years, but neglected to act.
As evidence, the US regulator cites SolarWinds’ own internal reports, including a 2018 assessment shared with Brown, that pointed out the security vulnerabilities with one of the company’s own remote access systems.
“Network Engineer D warned that this setup was ‘not very secure’ and later explained that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late’ which could lead to a ‘major reputation and financial loss’ for SolarWinds,” alleges the SEC’s complaint, which notes two other internal reports warned about similar risks.
(Credit: Getty Images)Despite the warnings, SolarWinds did little to address the problems. Instead, the SEC alleges the company “defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.” In the meantime, the SEC’s complaint says hackers began infiltrating SolarWinds as early as January 2019 through a company VPN.
The SEC’s lawsuit is urging a US federal court to force SolarWinds to give up all “ill-gotten gains” the company received while committing the various violations. In addition, it’s asking the judge to mandate that SolarWinds pay civil monetary penalties and to also prohibit Brown from acting as a chief executive at a listed company again.
The SEC adds the enforcement action is also about sending a warning to the entire business community about coming clean with investors about known cybersecurity issues.
“The SEC litigation against Solarwinds is going to do more to advance security than another decade of breaches would,” cybersecurity researcher Jake Williams tweeted. “CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead.”
However, SolarWinds is pushing back on the SEC charges, claiming it was transparent with the public about the breach from the outset. “How we responded to Sunburst is exactly what the US government seeks to encourage. So, it is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us,” SolarWinds’ CEO Sudhakar Ramakrishna said in a post. (Sunburst is the malware used to attack SolarWinds.)
The company plans on fighting the charges in court. Ramakrishna adds that the SEC’s action risks discouraging other companies from “open information sharing across the industry.”
“They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines,” he wrote. “I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”
