The Security and Exchange Commission (SEC) has filed charges against SolarWinds and its chief information security officer, Timothy G. Brown for misleading investors by not disclosing “known risks” and not accurately representing the company’s cybersecurity measures during and before the 2020 Sunburst cyberattack that affected thousands of customers in government agencies and companies globally.
“SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations,” SEC said in a press release.
It is unusual for a company CISO to be named in SEC charges for non-disclosure. The SolarWinds case could act as a pivotal point for the role of a CISO, transforming it into one that requires a lot more scrutiny and responsibility.
“SolarWinds incident highlights the responsibility of CISOs of publicly listed companies in not only managing the cyberattacks but also proactively informing customers and investors about their cybersecurity readiness and controls,” said Pareekh Jain, chief analyst at Pareekh Consulting. “This lawsuit highlights that there were red flags earlier that the CISO failed to disclose. This will make corporations and CISOs take notice and take proactive security disclosure more seriously similar to how CFOs take financial information disclosure seriously.”
“There are many unknowns here; we don’t know if the CISO ‘succumbed’ to pressure from other leaders or if he was complicit in the hack,” said Agnidipta Sarkar, vice president for CISO Advisory at ColorTokens Inc. “In either case, he is the target. But the reality is that the CISO is a very complex role. We are constantly required to navigate internal politics and pushbacks, and unless you are on your toes, you will be at the mercy of external forces at a scale no other CXO is exposed to.”
Earlier in June, the SEC sent notices to SolarWinds staff, including the chief financial officer (CFO) and the chief information security officer (CISO), indicating it may pursue legal action for violations of federal law in connection with their response to Sunburst.
Complaint says SolarWinds downplayed security concerns
SEC in its complaint has alleged that SolarWinds’ public statements about its cybersecurity practices and risks were “at odds with its internal assessments”. An internal presentation developed by the company engineers in 2018, for instance, proved SolarWinds (and Brown) had knowledge of security risks within its core products.
SolarWinds’ remote access setup was found to be “not very secure” and that someone exploiting the vulnerability “can basically do whatever without (us) detecting it until it’s too late,” which could lead to “major reputation and financial loss” for the company, the SEC complaint said while quoting SolarWinds’ internal documents.
Additionally, Brown himself was found to have made internal presentations in 2018 and 2019, stating that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “access and privilege to critical systems/data is inappropriate.”
“Brown and other SolarWinds employees knew that SolarWinds had serious cybersecurity deficiencies,” the complaint said. “Internal emails, messages, and documents describe numerous known material cybersecurity risks, control issues, and vulnerabilities. These internal statements dramatically contradict SolarWinds’ public disclosures relating to its cybersecurity practices, risks, controls, and vulnerabilities.”
In June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “(our) backends are not that resilient,” according to the complaint.
“The volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve,” an internal document shared with Brown and others two months later stated.
SolarWinds calls SEC charges misguided and improper
On the same day as the SEC filed the lawsuit, SolarWinds CEO, Sudhakar Ramakrishna posted the company’s response through an orange matter blog.
“The SEC has filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” Ramakrishna said in the blog.
Denying all charges, Ramakrishna claimed that SolarWinds maintained appropriate cybersecurity controls prior to and after Sunburst. He also said that SolarWinds will vigorously oppose the SEC action.
According to an SEC press statement, the complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
CSO and CISO, Cyberattacks
