SEC Sues SolarWinds for Concealing Risks Before Massive Hack

November 20, 2023 by and

The U.S. Securities and Exchange Commission on October 30 sued software company SolarWinds Corp. and its top information security executive, saying they defrauded investors by hiding cybersecurity weaknesses during a massive hack targeting the U.S. government.

The SEC lawsuit in Manhattan federal court accused SolarWinds and Timothy Brown, its chief information security officer (CISO), with repeatedly violating U.S. securities laws by concealing vulnerabilities and cyber events in regulatory filings and other company statements.

The lawsuit appears to be the first time the SEC has sued a company that has been victim of a cyberattack, rather than charging and simultaneously settling.

SolarWinds, based in Austin, Texas, slammed the regulator’s “overreach” and pledged to fight the charges in court. It said the charges were “unfounded,” put national security at risk, and “should alarm all public companies and committed cybersecurity professionals across the country.”

Chief Executive Sudhakar Ramakrishna said in a blog post: “The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security.”

Alec Koch, a lawyer for Brown, said his client performed his job with “diligence, integrity and distinction,” and looked forward to defending his reputation and correcting the inaccuracies in the SEC complaint.

Shares of SolarWinds fell more than 3% after market hours, following the filing of the lawsuit.

‘I Want to Throw Up’

The nearly two-year hacking known as Sunburst, the outlines of which were first reported by Reuters, was one of the most sweeping cyber intrusions ever discovered.

Hackers were able to use SolarWinds’ flagship network management software, Orion, as a springboard into U.S. government networks and international targets.

Several federal agencies were compromised, including the Departments of State, Treasury, Homeland Security, Commerce and Energy. The full consequences of the breach, some hidden behind layers of classification, remain unknown.

Regulators found SolarWinds misled the public about repeated cybersecurity risks it faced between its 2018 initial public offering and its December 2020 disclosure about the attack.

Authorities said Brown internally discussed known risks and vulnerabilities but painted a starkly different portrayal to the public, even as customers, including a federal agency, alerted SolarWinds to malicious activity on its flagship software.

According to the SEC, the problems prompted one SolarWinds employee to say in October 2020: “We’re so far from being a security minded company. Every time I hear about our head geeks talking about security I want to throw up.”

Alexander Urbelis, a cybersecurity lawyer at Crowell & Moring LLP, said authorities have become more attentive to holding executives liable for cybersecurity failures.

He cited the October 2022 obstruction conviction of a former Uber Technologies security chief for covering up a data breach.

“That was a massive wakeup call for CISOs across the board,” Urbelis said.