Written by staff writer.
The US Securities Exchange Commission (SEC) has charged Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy Brown, with fraud and internal control failures connected with known cybersecurity risks and vulnerabilities.
The charges, related to a long-running cyberattack on the publicly listed company, and disclosed in 2020, are attracting attention because they represent a step change in the regulator’s approach to cybersecurity enforcement. Historically, when the SEC has taken action concerning cybersecurity, it primarily focused on negligence-based disclosure violations. In this case, the SEC says the defendants knowingly made false public statements promoting the company’s cybersecurity practices and risks while omitting material information.
The hack, known as SUNBURST, saw hackers insert malicious pieces of code into a SolarWinds IT performance management and monitoring system called Orion. SolarWinds offers SaaS solutions for IT infrastructure, supply management, and network administration. Using the Orion platform as a backdoor, the Russia-state-linked threat actors could spy on SolarWinds’ clients for an extended period. The clients included the US Department of Homeland Security and the Department of Treasury. SUNBURST was noteworthy not just for its high-profile targets but also for the scope and method of the attack.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” said Gurbir S. Grewal, the SEC’s Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
SolarWinds relisted on the US stock exchange in October 2018, and the SEC allegations cover from then until the end of 2020. In addition to the SEC alleging that Brown was aware of the firm’s cybersecurity deficiencies but did not adequately address them, they also allege that in late 2020, Brown made an incomplete disclosure to the regulator about the SUNBURST attack. Grewal says the charges demonstrate the need for entities to have “strong controls calibrated to your risk environments and level with investors about known concerns.”
In response, a SolarWinds spokesperson has called the charges disappointing and unfounded. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country,” he said.
Critics of the charges say the SEC’s action will have a chilling impact on the supply of CISOs. The charges are also sparking a debate about accountability and the extent of a CISO’s responsibility for an entity’s cyber defences. Some CISOs have since spoken out and said many do not have access to the resources they need to do their job properly.
Others say the SEC’s action could go a long way to clarifying a CISOs role in a company and the extent of their responsibility, especially when things go awry.
Brown’s legal representatives say he will defend the charges and that he worked in the CISO role with integrity and diligence. “Mr Brown has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds,” his lawyer told media. “We look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”