U.S. regulators have filed a lawsuit against SolarWinds, a Texas-based technology company, for alleged fraud related to its failure to disclose security deficiencies prior to a significant 2020 Russian cyberespionage campaign. The complaint, initiated by the Securities and Exchange Commission (SEC), also targets the company’s top security executive, seeking unspecified civil penalties, reimbursement of “ill-gotten gains,” and the executive’s removal.
The SolarWinds cyberattack, detected in December 2020, infiltrated U.S. government agencies, including the Justice and Homeland Security departments, and over 100 private companies and think tanks. The breach underscored the need for increased cybersecurity measures in Washington.
In the 68-page complaint filed in a New York federal court, the SEC alleges that SolarWinds and its former Vice President of Security, Tim Brown, engaged in fraudulent behavior by concealing the company’s “poor cybersecurity practices and heightened cybersecurity risks.” The SEC claims that this behavior deprived investors and customers of accurate information.
SolarWinds has responded, stating that the SEC charges are unfounded and expressing concerns that this action may jeopardize national security.
In a statement, Brown’s lawyer, Alec Koch, defended his client’s reputation and noted that Brown had performed his duties diligently, with integrity, and distinction.
The SEC’s enforcement division director, Gurbir S. Grewal, stated that SolarWinds and Brown disregarded “repeated red flags,” creating a false impression of the company’s cybersecurity controls and depriving investors of vital information.
The SEC’s allegations include evidence from an internal SolarWinds presentation in October 2018, which suggested that the company’s security was “not very secure” and left it vulnerable to hacking with potential reputational and financial consequences. Additionally, throughout 2019 and 2020, SolarWinds employees, including Brown, questioned the company’s ability to protect its critical assets from cyberattacks.
SolarWinds, headquartered in Austin, Texas, provides network-monitoring and technical services to numerous organizations worldwide, including most Fortune 500 companies and government agencies across North America, Europe, Asia, and the Middle East.
The cyberespionage campaign lasted nearly two years and involved the infection of thousands of SolarWinds customers through malware in the company’s network management software updates. Russian cyber operators capitalized on the supply-chain breach, infiltrating select targets, including at least nine U.S. government agencies, software providers, and telecommunications companies.
SolarWinds has criticized the SEC’s actions as overreach and argued that they could discourage diligent corporate information security officers from disclosing vulnerabilities. The Biden administration’s SEC has been proactive in holding publicly traded companies accountable for cybersecurity lapses and non-disclosure of vulnerabilities.
The SEC adopted rules in July that require companies to disclose cybersecurity breaches affecting their financials within four days. Exceptions are allowed in cases of significant national security or public safety concerns. Notable victims of the SolarWinds breach included the New York federal prosecutors’ office, then-acting Homeland Security Secretary Chad Wolf, and members of the department’s cybersecurity staff.