The SEC has charged SolarWinds and its top cybersecurity executive, Timothy Brown, with fraud and internal control failures for misleading investors about the company’s cybersecurity practices before a 2019 Russian cyberattack.
The SEC stated late Monday that SolarWinds “allegedly misled investors by disclosing only generic and hypothetical risks” when SolarWinds and Brown knew of “specific deficiencies” in the company’s security practices and the growing risks it faced.
The SEC complaint accused the company of making claims about its security practices that were “at odds” with its internal assessments. The SEC said Brown, SolarWinds’ chief information security officer, made presentations in the years before the hack that said the company’s security was “very vulnerable.”
However, the federal regulator said Brown failed to adequately raise or resolve company security risks.
SEC enforcement chief Gurbir S. Grewal said SolarWinds and Brown “ignored repeated red flags” and “engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Grewal said, “Today’s enforcement action charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, and underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.
Government hackers affiliated with Russia’s foreign intelligence service hacked SolarWinds in 2019 and planted a backdoor in the code of its flagship Orion network management product. Hackers gained access to every network running the compromised Orion software, including private companies and federal agencies, after SolarWinds updated its customers.
In 2020, NASA, Homeland Security, the Department of Justice, FireEye, and several tech companies, universities, and hospitals were found to have been hacked.
After the cyberattack, the SEC warned SolarWinds that its cybersecurity disclosures and public statements were under scrutiny in November 2022.
U.S. lawmakers chastised former SolarWinds CEO Kevin Thompson for blaming an intern for using the now-infamous password, “solarwinds123,” on a file server for years until a security researcher discovered it. In its complaint filed in New York federal court, the SEC stated that this password “did not comply with the company’s stated password complexity requirements,” which contradicted SolarWinds’ security statement. SEC: SolarWinds and Brown’s “misstatements and omissions regarding password issues were not only false and misleading, but materially so.”
An official SolarWinds spokesperson declined comment. SolarWinds CEO Sudhakar Ramakrishna complained in a blog post that the SEC was taking a “misguided and improper enforcement action” against the company and that it would “vigorously oppose this action.”
Brown attorney Alec Koch said he looks forward to defending Brown’s reputation and “correcting the inaccuracies in the SEC’s complaint.”