SEC Files Charges Against SolarWinds and CISO for Fraud and Control Failures
The Securities and Exchange Commission (SEC) has brought charges against Austin-based software firm SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging fraud and internal control deficiencies related to known cybersecurity risks. The complaint states that SolarWinds and Brown deceived investors from their initial public offering in October 2018 through the announcement of a major cyberattack called "SUNBURST" in December 2020. SolarWinds is accused of inflating its cybersecurity practices while downplaying or not disclosing existing risks.
According to the complaint, SolarWinds' public statements about its cybersecurity practices conflicted with internal assessments. In 2018, an internal presentation flagged a lack of security in SolarWinds' remote access setup, emphasizing the potential for undetectable exploitation. Brown was aware of this but allegedly failed to address the issues.
Furthermore, Brown's 2018 and 2019 presentations highlighted security vulnerabilities, noting that the company was in a vulnerable state for its critical assets. Internal communications throughout 2019 and 2020, including messages from Brown, questioned SolarWinds' ability to protect against cyberattacks. These red flags went unaddressed.
The SEC's complaint alleges that Brown was aware of the cybersecurity risks but did not rectify them or escalate them within the company. Consequently, the company couldn't provide reasonable assurance that its valuable assets, including its flagship Orion product, were adequately protected.
SolarWinds' disclosure of the SUNBURST attack was deemed incomplete in a Form 8-K filing on December 14, 2020. Following this disclosure, the stock price dropped by approximately 25% over the next two days and 35% by the end of the month.
Gurbir S. Grewal, Director of the SEC's Division of Enforcement, commented, "Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns."
The SEC's complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown. The charges include violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, as well as reporting and internal controls provisions for SolarWinds.