U.S. regulators on Monday sued SolarWinds, a Texas-based technology company whose software was breached in a massive 2020 Russian cyberespionage campaign, for fraud by failing to disclose security deficiencies before the surprising attack.
The company’s top security executive was also named in the lawsuit filed by the Securities and Exchange Commission that seeks unspecified civil penalties, repayment of “ill-gotten gains” and the executive’s removal.
Detected in December 2020, the SolarWinds hack penetrated US government agencies, including the Departments of Justice and Homeland Security, and more than 100 private companies and think tanks. It was a harsh wake-up call about the dangers of neglecting cybersecurity.
In the 68-page complaint filed in federal court in New York, the SEC says SolarWinds and its then-vice president of security, Tim Brown, defrauded investors and customers “through misstatements, omissions and schemes” that concealed “malpractices.” of cybersecurity and its greatest (and growing) cybersecurity risks.”
In a statement, SolarWinds called the SEC’s charges baseless and said it is “deeply concerned that this action puts our national security at risk.”
Brown carried out his responsibilities “with diligence, integrity and distinction,” his attorney, Alec Koch, said in a statement. Koch added that “we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.” Brown’s current title at SolarWinds is chief information security officer.
SEC Enforcement Division Director Gurbir S. Grewal said in a statement that SolarWinds and Brown ignored “repeated red flags” for years, painting “a false picture of the company’s cyber controls environment, thus depriving investors with accurate material information.
The same month SolarWinds registered for an initial public offering, October 2018, Brown wrote in an internal presentation that the company’s “current security status leaves us in a very vulnerable state,” the complaint says.
Among the SEC’s damning allegations: An internal SolarWinds presentation shared that year said the company’s network was “not very secure,” meaning it was vulnerable to hacking that could lead to “major reputation and financial loss.” “. Throughout 2019 and 2020, the SEC alleged, multiple communications between SolarWinds employees, including Brown, “questioned the company’s ability to protect its critical assets from cyberattacks.”
SolarWinds, headquartered in Austin, Texas, provides network monitoring and other technical services to hundreds of thousands of organizations worldwide, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East. .
The nearly two-year spy campaign involved infecting thousands of customers by planting malware in the company’s network management software update channel. Leveraging supply chain hacking, Russian cyber operators stealthily penetrated select targets, including about a dozen U.S. government agencies and prominent software and telecommunications vendors.
In its statement, SolarWinds called the SEC’s action an “example of agency overreach (that) should alarm all public companies and professionals engaged in cybersecurity across the country.”
He did not explain how the SEC’s action could put national security at risk, although some in the cybersecurity community have argued that holding corporate information security officials personally responsible for identified vulnerabilities could make them less diligent in discovering them and deterring qualified persons to aspire to such positions.
Under the Biden administration, the SEC has been aggressive in holding publicly traded companies accountable for cybersecurity failures and failure to disclose vulnerabilities. In July, it adopted rules requiring them to disclose within four days all cybersecurity breaches that could affect their results. Delays would be allowed if immediate disclosure poses serious risks to national or public security.
Victims of the SolarWinds attack whose Microsoft email accounts were breached included the New York U.S. Attorney’s Office, then-acting Homeland Security Secretary Chad Wolf, and members of the department’s cybersecurity staff, whose jobs included Hunt threats from foreign countries.