Cybersecurity firm SolarWinds committed fraud and failed to maintain adequate internal controls for years, the Securities and Exchange Commission alleged in a lawsuit.SolarWinds Corp banner hangs at the New York Stock Exchange (NYSE) on the IPO day of the company in New York, U.S., October 19, 2018.in U.S.
SolarWinds went public in 2018, and made only “generic” disclosures about cybersecurity risk in both its prospectus and in continued filings, the complaint said. However, the SEC alleged that SolarWinds and Brown knew that the company’s cybersecurity practices were weak, pointing to an internal presentation from Brown that was made the same month SolarWinds went public.
The myriad vulnerabilities known by the company weren’t acknowledged in the company’s regulatory disclosures, the SEC alleged, and some directly led to the Russian-backed hack of Orion. The SEC alleged that SolarWinds, despite acknowledging the hack, failed to disclose that the vulnerability that the Russian hackers exploited had also been exploited to target other SolarWinds customers, including two unnamed cybersecurity firms and one unnamed federal agency. headtopics.com
The complaint also cited specific alleged misstatements by Brown, who is still SolarWinds’ CISO. From 2019 through 2020, Brown allegedly made numerous public statements claiming that the company was “focused” on “hygiene” and “cyber best practices” on blogs, podcasts, and websites. In reality, Brown knew that the company was not following those best practices, the SEC alleged.
The suit comes as major corporations prepare for a new cyber disclosure rule that would require companies to report cybersecurity incidents within a few days of discovery. Regulators have begun to pay increasing attention to hacks, in the wake of significant breaches that materially impacted corporations, the company said it believed the SEC was pursuing “a misguided and improper enforcement action against us.” SolarWinds also filed the statement with the SEC. headtopics.com