USA's SEC sues company and its chief information security officer over alleged fraud and internal control failures.

News Desk

The SEC has sued SolarWinds and its CISO, Timothy G. Brown, alleging that it failed to disclose to shareholders a long-term cyberattack and that in doing so it "defrauded investors" by "by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time."

The attack on SolarWinds exposed massive amounts of public sector and private information and the fact that it was so extensive and so long-lasting that the company attracted a great deal of adverse attention.

SolarWinds provides a large range of internet services including popular WhoIs and DNS analysis tools DNS Stuff, a collection of free services widely used as a starting point for investigations that SolarWInds bought in about 2011.

A statement published today on the company's website by Sudhakar Ramakrishna who arrived as President and CEO after news of the hack broke says "Soon after the highly sophisticated Russian cyberattack on SolarWinds and other technology companies was discovered in December 2020, the U.S. government and the security community determined it was carried out by persistent Russian threat actors. SUNBURST used novel techniques the world’s best cybersecurity experts had never seen before."

The importance of the attack is that, like several other attacks over the recent past, access to SolarWinds products provided a back-door into customers' systems. Indeed, this risk has become recognised as an attack vector that is exploited by criminals who recognise that companies like SolarWInds that provide services can be used to bypass strong security on data.

Think of it like handing the keys to the office to a cleaning company which is not so careful about its vetting policies as the company is for its own employees. It's a very similar concept.

The statement from SolarWind's CEO seems to be at odds with what the Securities and Exchange Commission says it's found.

SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”

The SEC's case is damning. "SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month."

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information."

SolarWinds CEO's statement:…