SolarWinds issued a sharp rebuke to the US Securities and Exchange Commission (SEC) lawsuit claiming the company and its CISO failed to maintain adequate security in the years leading up to the 2019 SUNBURST cyberattack.
The Russian-backed hack was not made public until December 2020 and last week, the SEC released its 68-page complaint that included specific misstatements by Timothy Brown, who remains SolarWinds’ acting CISO. The lawsuit claimed the company overstated cybersecurity practices while understating its own cybersecurity weaknesses.
In a blog post titled “Setting the Record Straight on the SEC and SUNBURST,” the company claimed the SEC’s evidence is misleading and quotes are taken out of context to make its case. “…the SEC is twisting the facts in an attempt to expand its regulatory footprint in the cybersecurity space,” the company said. “We intend to correct the record and push back on their overreach, as the SEC is provably wrong about the facts and lacks the authority or competence to regulate public companies’ cybersecurity.”
SEC claimed in its lawsuit that SolarWinds failed to install adequate security controls before the attack.
“We categorically deny those allegations,” SolarWinds’ blog post said. “The company had appropriate controls in place before SUNBURST. The SEC misleadingly quotes snippets of documents and conversations out of context to patch together a false narrative about our security posture.”
SolarWinds’ blog post details what it says are false claims that the attack exploited a VPN vulnerability. Other technical issues regarding the companies’ compliance with National Institute of Standards and Technology (NIST) cybersecurity standards framework (CSF) are also defended in the post. “The SEC is mixing apples and oranges, underscoring its lack of cybersecurity experience,” the blog post charged. “… the SEC fundamentally misunderstands what it means to follow the NIST CSF.”
However much of the SEC’s complaint focuses on Brown’s alleged mishandling of controls that led to the breach. SEC contends that Brown in 2018 and 2019 stated “the current state of security leaves us in a very vulnerable state for our critical assets,” and that “access and privilege to critical systems/data is inappropriate.”
SEC, for its part, alleges SolarWinds and Brown were well aware of risks.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company,'” Gurbir S. Grewal, director of the SEC’s Division of Enforcement, said in a release.
In its response, SolarWinds goes on to claim the SEC’s lawsuit will weaken cybersecurity throughout the industry.
“If the SEC has its way companies would be required to disclose detailed vulnerability information in public filings, which would not be useful to investors but would be useful to hackers looking for vulnerabilities to exploit,” the blog post stated. “That is the very reason the SEC has previously advised companies that SEC rules do not require such disclosures. This lawsuit undermines that guidance and leaves public companies confused about how much they must disclose.”
Igor Volovich, vice president for compliance strategy at compliance solutions firm Qmulos, tells InformationWeek SolarWinds’ SEC fight provides lessons for business leaders.
“Corporate leaders need to wake up to the new reality set by the SEC’s charges against SolarWinds and its CISO… We’re past the point of waiting until the next audit to understand a company’s security posture; that understanding needs to be crystal clear today,” he said in an email interview. “When there’s a discrepancy between what you’re doing and what you’re reporting, you’re not just failing in compliance, you’re risking your company’s reputation and integrity… Look for more action from the SEC, FTC, DOJ, and other agencies soon.”