SEC Charges SolarWinds and CISO Timothy Brown For Misleading Investors

The U.S. Securities and Exchange Commission (SEC) has charged SolarWinds and CISO Timothy Brown with allegedly misleading investors on SolarWinds’ cybersecurity practices and controls.

The SolarWinds hack captured headlines in 2020 and stands as one of the largest cybersecurity breaches in history. The massive breach led to a global supply chain incident that impacted more than 30,000 organizations, including the federal departments of Homeland Security, Justice, Energy, Treasury and Commerce, and global companies such as Microsoft and Cisco.

The U.S. government officially named the Russian Foreign Intelligence Service as the perpetrator but also hinted that charges would be levied against SolarWinds executives for their role in the breach. This past Monday, the SEC made the speculation official, formally charging SolarWinds and Timothy Brown for:

• Violating the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934 (Brown and SolarWinds).
• Violating reporting and internal controls provisions of the Exchange Act (SolarWinds).
• Aiding and abetting the company’s violations (Brown).

The SEC believes that SolarWinds knew about the specific vulnerabilities and poor cyber controls but chose to ignore them between their initial public offering in October 2018 and the December 2020 announcement of the hack.

The complaint alleges that SolarWinds’ public statements about their cybersecurity practices and risks were at odds with its internal assessments, including an internal report from a company engineer in 2018 citing vulnerability concerns, and that their SUNBURST disclosure report itself was incomplete. 

The SEC also believes that Brown knowingly misled investors by failing to publicly disclose alleged cybersecurity failures prior to the breach, including false claims that “SolarWinds had a strong password policy and strong access controls despite maintaining weak controls for years that granted employees administrative access”.

Perhaps the most damaging allegation is that Brown acknowledged the backends of SolarWinds’ Orion software were not resilient and knew about previous attacks on it, which was the exact software the malicious code was deployed into that caused the historic 2020 breach. 

The complaint seeks “permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown". This case is unique due to for several reasons, including that it is the first time that the SEC has:

• Charged an individual in a cyber case.
• Alleged an organization intended to deceive investors.
• Alleged a company knowingly had internal control failures for safeguarding themselves.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” said Gurbir Grewal, Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

SolarWinds released a statement disputing the SEC charges, calling them unfounded. The statement also confirmed they will be fighting the charges in court and reinforced their full support of Brown, who is still their acting CISO at the time of this article.  

Should Security Executives Be Concerned About the SEC Charging SolarWinds?

In theory, security executives should not be concerned about being blamed for incidents, provided that, to the best of their ability, they are being truthful to the board, the public when applicable, regulatory bodies and investors.

Most importantly, they must adhere to federal disclosure laws and reporting requirements – which the SEC believes were intentionally not followed in this case and is the basis for the complaint.

The last time a security professional was charged in connection with a cybersecurity incident was after Uber’s 2016 data breach. Joe Sullivan, Uber’s CSO at the time, was charged with obstructing justice for “taking deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.”

It is important to remember that these charges weren’t brought because the attack happened but because the SolarWinds and Brown allegedly knew about vulnerabilities and incidents and knowingly chose to mislead investors and give incomplete disclosures.

So, while many headlines may push the idea that CISOS and CSOs are being scapegoated for cyber-attacks, this case demonstrates that their legal liability is actually based on alleged personal actions, investor communcations and public statements, as well as following federal disclosure laws – which are only getting more stringent in the public sector.

On the other hand, given the recent scrutiny from the SEC and FTC, there is a case to be made that security executives should be concerned about both how they’re presenting their company’s cybersecurity practices internally and publicly and, more importantly, how regulatory bodies view the burden of responsibility in these cases. If you consider how often public policies don’t align with the internal reality of an organization, you can see the concern some have over this case.

If the CISO or CSO makes a good faith effort to establish, document and enforce cybersecurity controls and practices, but they aren’t enforced, is it fair that only the CISO or CSO is held accountable? Or should the blame be placed on the organization?  

The more complex question may perhaps be: how can organizations better support their security executives in the increasingly complicated landscape of regulatory oversight, disclosure requirements, investor demand and federal law to prevent a situation such as this from happening in the first place?

What do you think? Let us know at [email protected].

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.