SEC alleges SolarWinds and key executive misled investors about cybersecurity prior to ‘massive’ cyberattack

Cybersecurity firm SolarWinds committed fraud and failed to maintain adequate internal controls for years, the Securities and Exchange Commission alleged in a lawsuit.SolarWinds Corp banner hangs at the New York Stock Exchange (NYSE) on the IPO day of the company in New York, U.S., October 19, U.S.

SolarWinds went public in 2018, and made only “generic” disclosures about cybersecurity risk in both its prospectus and in continued filings, the complaint said. However, the SEC alleged that SolarWinds and Brown knew that the company’s cybersecurity practices were weak, pointing to an internal presentation from Brown that was made the same month SolarWinds went public.

The myriad vulnerabilities known by the company weren’t acknowledged in the company’s regulatory disclosures, the SEC alleged, and some directly led to the Russian-backed hack of Orion. The SEC alleged that SolarWinds, despite acknowledging the hack, failed to disclose that the vulnerability that the Russian hackers exploited had also been exploited to target other SolarWinds customers, including two unnamed cybersecurity firms and one unnamed federal agency.

The complaint also cited specific alleged misstatements by Brown, who is still SolarWinds’ CISO. From 2019 through 2020, Brown allegedly made numerous public statements claiming that the company was “focused” on “hygiene” and “cyber best practices” on blogs, podcasts, and websites. In reality, Brown knew that the company was not following those best practices, the SEC alleged.

The suit comes as major corporations prepare for a new cyber disclosure rule that would require companies to report cybersecurity incidents within a few days of discovery. Regulators have begun to pay increasing attention to hacks, in the wake of significant breaches that materially impacted corporations, the company said it believed the SEC was pursuing “a misguided and improper enforcement action against us.” SolarWinds also filed the statement with the SEC.

SEC charges SolarWinds and company executive with fraud after cybersecurity breachBill Peters is a Los Angeles-based MarketWatch reporter who covers earnings. Read more ⮕

SEC: SolarWinds failed to disclose cybersecurity woes before historic breachSolarWinds suffered a historic breach that made waves in 2020, and now the Securities and Exchange Commission is taking action against the company and its CISO Tim Brown. Read more ⮕

SEC charges SolarWinds and exec with fraud after massive cybersecurity breachSEC alleges SolarWinds ‘ignored repeated red flags’ about cybersecurity risks; company calls allegations ‘unfounded’ Read more ⮕

SEC claims SolarWinds misled investors about cyber practices before 2020 breachThe SEC claims the company overstated how secure it was before a 2020 Russian cyberattack. Read more ⮕

SEC Sues SolarWinds Over 2020 Hack Attributed to RussiansRegulator says software company defrauded investors by misleading them about its cyber vulnerabilities Read more ⮕

SEC sues SolarWinds for hiding security weaknesses during massive hack.“We’re so far from being a security minded company. Every time I hear about our head geeks talking about security I want to throw up,” said one unnamed SolarWind employee to the SEC. Read more ⮕