The Securities and Exchange Commission (SEC) on Monday filed a lawsuit against SolarWinds and its CISO, Tim Brown, alleging fraud and that the company failed to maintain adequate internal controls in the years prior to a 2019 Russia-backed hack.
The suit claims the company overstated cybersecurity practices while understating its own cybersecurity vulnerabilities.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” Gurbir Grewal, SEC enforcement director, said in a release.
The 68-page complaint includes specific alleged misstatements by Brown, who is still acting as CISO. Nobelium, the codename for the Russia-aligned hacking group, in 2019 hacked SolarWinds’ Orion software, which numerous government agencies used. The hack was not made public until December 2020, a month after an employee discovered the attack. “Can’t really figure out how to unf**k this situation,” the employee said in a message sited in the SEC lawsuit.
The SEC alleges SolarWinds failed to disclose that the vulnerability was shared by other customers as well, including two unnamed cybersecurity firms and an unnamed federal agency. The breach was first detected by cybersecurity firm FireEye, which was also impacted.
“A reasonable investor, considering whether to purchase or sell SolarWinds stock, would have considered it important to know the true state of SolarWinds’ security, especially regarding the state of the company’s access controls for ‘information systems’ and ‘sensitive data,’” the SEC complaint said.
SolarWinds shot back in a statement released to the public and filed with the SEC, which it said was pursuing “a misguided and improper enforcement action against us.”
“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST [the codename for the attack] and has led the way ever since in continuously improving enterprise software security based on evolving industry standards,” the filing, signed by SolarWinds CEO Sudhakar Ramakrishna, said.
A spokesperson for SolarWinds, in an email to InformationWeek, said, “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
In a statement to CNBC, Brown’s attorney Alec Koch said, “Mr. Brown has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”