U.S. regulators have taken legal action against SolarWinds, a Texas-based technology firm whose software was compromised in a major 2020 Russian cyberespionage campaign. The lawsuit, filed by the Securities and Exchange Commission (SEC), alleges fraud on SolarWinds’ part due to the company’s failure to disclose security vulnerabilities ahead of the extensive hack. In addition to the company, the complaint names the firm’s top security executive, seeking civil penalties, reimbursement of “ill-gotten gains,” and the executive’s removal.
The SolarWinds breach, discovered in December 2020, infiltrated U.S. government agencies, including the Justice and Homeland Security departments, as well as over 100 private companies and think tanks. This event acted as a wake-up call, raising awareness in Washington about the need to enhance cybersecurity measures.
The 68-page SEC complaint contends that SolarWinds and its former Vice President of Security, Tim Brown, deceived investors and customers through “misstatements, omissions, and schemes.” These actions concealed the company’s “poor cybersecurity practices” and the increasing cybersecurity risks.
In response, SolarWinds has labeled the SEC charges as baseless and expressed concerns that the lawsuit may jeopardize national security. Brown’s lawyer, Alec Koch, defended his client’s reputation, asserting that Brown had performed his duties diligently, with integrity and distinction. Brown currently holds the title of Chief Information Security Officer at SolarWinds.
Gurbir S. Grewal, the director of the SEC’s enforcement division, stated that SolarWinds and Brown ignored “repeated red flags” over several years, creating a false image of the company’s cybersecurity controls and depriving investors of accurate material information.
The SEC’s allegations include an internal SolarWinds presentation from October 2018, the same month the company registered for an initial public offering. This presentation indicated that SolarWinds’ “current state of security leaves us in a very vulnerable state.” Furthermore, the SEC alleges that throughout 2019 and 2020, multiple communications among SolarWinds employees, including Brown, questioned the company’s ability to protect critical assets from cyberattacks.
SolarWinds, headquartered in Austin, Texas, offers network-monitoring and technical services to numerous organizations globally, including most Fortune 500 companies and government agencies across North America, Europe, Asia, and the Middle East.
The 2020 espionage campaign spanned almost two years and involved compromising thousands of SolarWinds customers by injecting malware into the company’s network management software updates. Leveraging this supply-chain breach, Russian cyber operators covertly infiltrated select targets, including at least nine U.S. government agencies and prominent software and telecommunications providers.
SolarWinds has criticized the SEC’s legal action as an instance of regulatory overreach that could discourage cybersecurity professionals from uncovering and disclosing vulnerabilities, potentially putting national security at risk.
Under the Biden administration, the SEC has taken an assertive stance in holding publicly traded companies accountable for cybersecurity breaches and the failure to disclose vulnerabilities. In July, the SEC introduced rules requiring companies to disclose any cybersecurity breaches affecting their financials within four days. Exceptions are permitted in cases where immediate disclosure poses significant national security or public safety risks.
Among the victims of the SolarWinds hack were the New York federal prosecutors’ office, then-acting Homeland Security Secretary Chad Wolf, and members of the department’s cybersecurity staff responsible for identifying foreign threats.