The US Securities and Exchange Commission (SEC) has filed a lawsuit against SolarWinds Corporation and its chief information security officer, Timothy G Brown, alleging the defendants violated federal securities laws by misleading investors as to the adequacy of SolarWinds’ cybersecurity measures.
The complaint, filed on 30 October in the US District Court for the Southern District of New York, alleges that SolarWinds and Brown defrauded investors from at least October 2018, when SolarWinds’ launched its initial public offering, to at least December 2020, when SolarWinds publicly disclosed that it had been the target of a major cybersecurity attack.
According to the SEC, the defendants mislead investors by both overstating the adequacy of SolarWinds’ cybersecurity practices and failing to disclose known vulnerabilities in its cybersecurity infrastructure. The complaint cites a 2018 internal presentation prepared by one of SolarWinds’ engineers warning that the company’s remote access set-up was “not very secure” and that the vulnerability would allow threat actors to “do whatever without us detecting it before it’s too late.”
The Director of the SEC’s Division of Enforcement, Gurbir S Grewal, said in a statement that the enforcement action “not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel assets’ but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SolarWinds attack
The SolarWinds attack, commonly known as “SUNBURST,” is considered one of the most penetrating cybersecurity breaches in history, described by Microsoft Corporation president Brad Smith as “the largest and most sophisticated attack the world has ever seen.” Between October 2018 and December 2020, a Russian state actor injected malicious code into a general update for SolarWinds’ Orion software, which is used by many governmental and private organisations in the US, allowing it to compromise the servers of more than 18,000 SolarWinds’ customers. The Biden Administration released Executive Order 14024 issuing sanctions targeting the harmful foreign activities of the Russian Government in April 2021 in response to the attack.
With respect to SolarWinds’ CIO, Timothy Brown, the SEC alleges he was aware of SolarWinds’ cybersecurity vulnerabilities but failed to take sufficient action to resolve them or escalate them within the company. As a result of these lapses, the SEC alleges that SolarWinds could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected. The SEC specifically notes that in June 2020, when investigating an attack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient.”
Mr. Grewal stated that “[f]or years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company. . . . Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The SEC further alleges that SolarWinds’ public filings from October 2018 to December 2020 misled investors by overstating SolarWinds cybersecurity practices and understating or failing to disclose known risks. In particular, the SEC alleges that SolarWinds made incomplete disclosures in its Form 8-K in December 2020.
The complaint alleges that both SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934 (“the Exchange Act”). The complaint further alleges that SolarWinds violated Exchange Act reporting and internal controls provisions, and that Brown aided and abetted the company’s above-referenced violations. As a consequence of the alleged misconduct, the SEC seeks (i) a permanent injunction against the defendants’ violation of federal securities laws, (ii) disgorgement of ill-gotten gains received as a result of the violations, (iii) civil monetary penalties, and (iv) a permanent bar against Brown acting as officer or director of SEC-regulated entities.US listed companies will want to note the SEC’s allegations about deficiencies in SolarWinds’ investor disclosures as they prepare their own disclosures under the new SEC rules introduced in July 2023. See our previous blog post.
This shows that listed companies in the US must implement strong cyber security controls and level with investors about known concerns.