SEC Charges SolarWinds and Chief Information Security Officer with Fraud and Internal Cybersecurity Failures
The Securities and Exchange Commission (SEC) announced charges against SolarWinds Corp. and its chief information security officer (CISO), accusing the publicly traded company of misleading investors as to its vulnerability to cyberattacks. SolarWinds is accused of defrauding investors by overstating its cybersecurity practices, while failing to implement appropriate internal digital safeguards and ignoring red flags for years before announcing that it was the victim of a two-year long cyber attack in December 2020.
This landmark lawsuit represents the first time in an SEC cyber case that the commission has alleged that an organization intended to deceive investors. Perhaps even more alarming for information security executives performing an increasingly difficult corporate function, it is the first time in an SEC cyber case that the commission has brought action against an individual.
The SEC alleged that SolarWinds and CISO Timothy Brown, who is individually named in the lawsuit, knew as early as 2018 that software it sold to the federal government was, in the words of one company engineer quoted in the complaint, “not very secure.” According to the complaint, SolarWinds’ poor security practices were not a secret within the company, prompting several employees to express their concerns.
According to the director of the SEC’s enforcement division, “[r]ather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
The SEC’s aggressive enforcement of the massive SolarWinds breach reflects the tremendous impact that a breach can have to a company’s value and stock prices. Further, by placing the company’s CISO squarely in the SEC’s crosshairs, CISOs and other cyber executives are now on notice that they may be held personally responsible for security and disclosure failures. On the heels of the criminal sentencing of former Uber CSO, Joseph Sullivan, for his role in the company’s 2016 data breach, these executives are predicted to become increasingly risk-averse and choose self-preservation over corporate profits by proactively report vulnerabilities and breaches. The government’s willingness to go after individual employees means that those employees have even greater motivation to become whistleblowers and report perceived cybersecurity failures within the company, thereby protecting themselves while potentially securing a sizable relator settlement under the False Claims Act.