SolarWinds and CISO sued by SEC for cybersecurity failures

Complaint alleges software company and its CISO misled investors about cybersecurity practices and known risks. We assess the implications.

Charges against SolarWinds Corporation for misleading investors over security failures have been announced by the SEC, but the company has hit back, claiming the regulator has manufactured’ a claim against it in another example of ‘overreach’. A court battle looms.

On Monday, the SEC announced charges against the Austin, Texas-based software company and its chief information security officer, Timothy G Brown. It alleges fraud and internal control failures relating to what it says were known cybersecurity risks and vulnerabilities.

Allegations of material information withheld

The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. 

In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

The complaint alleges SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments. These included a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.

Access to critical systems

In addition, the SEC’ alleges presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate”.

The SEC’s complaint also alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks.

For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient”; and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve”.

“Our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

Gurbir Grewal, Director of Enforcement, SEC

SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, after which its stock price dropped approximately 25% over the next two days and approximately 35% by the end of the month.

The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.

What the SEC says

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company’,” said Gurbir S Grewal, Director of the SEC’s Division of Enforcement.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns,” Grewal said.

The SEC filed its complaint in the Southern District of New York, asking the court to:

  • permanently restrain and enjoin SolarWinds and Brown from violating the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934;
  • order SolarWinds and Brown to disgorge all ill-gotten gains they received as a result of the alleged violations;
  • order SolarWinds and Brown to pay civil monetary penalties;
  • permanently prohibit Brown from acting as an officer or director of any issuer that has a class of securities registered under Section 12 of the Exchange Act or required to file reports under Section 15(d) of the Exchange Act.

What SolarWinds says

In June, the SEC notified the chief financial officer and CISO (Brown) of SolarWinds about potential enforcement actions related to the 2020 cyberattack against the company’s Orion software platform, and the company disclosed as much in a regulatory filing with the agency.

SolarWinds CEO Sudhakar Ramakrishna said in an email to employees at that time that the possible legal action by US regulators was misguided, given the company’s “responsible disclosure” and “transparent communication” after the widely felt 2020 cyberattack against the company and its customers.

Responding to the complaint being filed in court yesterday, the company issued a similar statement, saying: “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country”. It said it would fight the allegations in court.

Compliance considerations

New cybersecurity rules from the SEC are set to take effect on December 15, and all companies should familiarize themselves with the new rules, while preparing and monitoring their operations for their own security.

The rules, adopted this past July, require publicly listed companies to comply with numerous incident reporting and governance disclosure requirements. The rules specifically state that all organizations should assume they will experience real threats and potential breaches.

The objective should be building and employing an effective cyber-risk management program that goes beyond completing compliance checklists. Firms and companies must ensure that best practices are in place across the enterprise to prevent cyberattacks and ensure that a proper response plan is in place that effectively stops or quickly remediates real threats when attacked.

Mandatory cyber-incident reporting

The new rules state that issuers must disclose cybersecurity incidents that are determined to be material by the company. The new rules introduce mandatory cyber-incident reporting requirements for all US-listed companies. Domestic issuers must disclose material cybersecurity incidents in Form 8-K filings, and private foreign issuers must submit Form 6-K filings to disclose any material cyber incidents. Disclosures must be filed within four business days after a company determines that it has experienced a material cyber-incident.

Critics of the rule have argued that four days is not enough time to confirm a breach, understand its impact, and coordinate notifications, and there has been some lack of certainty around the definition of “material” incidents.

The rule should be taken seriously, especially considering how the SEC has emphasized cyber-risk management and the importance of relevant board expertise, never mind crafted a rule that requires disclosure of detailed information about issuers’ cyber risk management processes and governance and relevant personnel. It should be considered by even private companies, as the SEC has looked beyond public companies and registrants such as investment advisers, for example by filing a subpoena enforcement action against the private law firm Covington & Burling and demanding the names of clients caught up in a 2020 cyberattack on the firm.

Policies and procedures

The December effective date is close by, and businesses should take out the rule again to prepare for its requirements, examining the sufficiency and timeliness of written cybersecurity policies and procedures, recent IT risk assessments, and how up-to-date status user security and access controls are at the organization.

There should be an assessment of the business’s threat and vulnerability management and whether incident response and recovery plans have been reviewed recently and are well-known by the appropriate personnel. The business must be sure the board of directors has a complete view of the business’s preparedness and resiliency practices; and all disclosure and recordkeeping practices should be doublechecked for sufficiency and an ability to respond promptly.

It’s a lot, admittedly, and it will take ample resources and time. The costs of getting it wrong far outweigh getting dinged by the securities regulator, though; as little else matches a data breach that compromises important client details when it comes to reputational damage and eroding public trust.