SEC Charges SolarWinds CISO with Fraud for Misleading Investors Before Major Cyberattack


The Securities and Exchange Commission (SEC) announced Monday evening that it plans to charge SolarWinds Chief Information Security Officer Timothy Brown with fraud for his role in allegedly lying to investors by “overstating the company’s cybersecurity practices.” SolarWinds and underestimating or failing to disclose known risks.” »

The complaint was filed in the Southern District of New York and alleges violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The SEC “seeks a permanent injunction, disgorgement with prejudgment interest, civil penalties, and an officer’s and administrator’s bar against Brown.

During months, the SEC suggested that he planned to charge SolarWinds executives for their role in a cyber attack lasting almost two years that the American government assigned to the Russian foreign intelligence service.

Hackers have found a way to insert malware into a version of the company’s Orion computer monitoring application, allowing Russian agents to gain a foothold on high-value targets. They used this access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.

The attack allowed Russian hackers to infiltrate several large companies as well as the Department of Defense, Department of Justice, Department of Commerce, Department of Treasury, Department of Homeland Security, Department of State, Department of Energy and more.

The SEC said that between its October 2018 IPO and at least its announcement of the hack in December 2020, SolarWinds “misled investors by disclosing only generic, hypothetical risks at a time when the company and Brown were experiencing specific gaps in SolarWinds’ cybersecurity practices, as well as the increasingly high risks the company was facing at the same time.

“We allege that, for years, SolarWinds and Brown ignored repeated warning signs about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: “We are so far from being a security-conscious company,” said Gurbir Grewal, director of the SEC’s Enforcement Division.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to misrepresent the company’s cyber-control environment, thereby depriving investors of accurate, important information. Today’s enforcement action not only accuses SolarWinds and Brown of misleading the investing public and failing to protect the company’s “crown jewel” assets, but it also underscores our message to issuers: implement strict controls tailored to your risk environments and communicate with investors on known concerns. »

Brown faces charges related to fraud and internal control failures because the company’s official statements were “contradictory to its internal assessments, including a 2018 presentation prepared by a company engineer.” ‘company and shared internally’.

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on a U.S. company and are deeply concerned that this action endangers our national security,” a SolarWinds spokesperson said in a statement. “The SEC’s determination to fabricate a case against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarify the truth in court and continue to support our customers through our Secure by Design commitments.”

A lawyer for Brown said he performed his job with “diligence, integrity and distinction.” Mr. Brown has worked tirelessly and responsibly to continually improve the company’s cybersecurity posture throughout his tenure at SolarWinds, and we look forward to defending his reputation and remedying the situation. inaccuracies in the SEC complaint.

According to the SEC, internal reports shared with Brown said that SolarWinds’ remote access setup was “not very secure” and that someone exploiting the issues “can do virtually anything without us “detections until it is too late”, which could lead to “major reputation and financial loss” for SolarWinds.

The SEC said it had evidence that Brown’s presentations in 2018 and 2019 indicated that “the current state of security leaves us in a very vulnerable state for our critical assets” and that “access and privileges to Critical systems/data are inappropriate. .”

Several communications were sent between Brown and other SolarWinds employees questioning whether the company could protect critical assets from cyberattacks.

The SEC complaint shows that in an incident involving a cyberattack against a SolarWinds customer, Brown acknowledged that an attacker could have attempted to use SolarWinds’ Orion software in larger attacks because “our backends do not are not so resilient.

Brown was then informed in September 2020 by an employee that “the volume of security issues identified over the past month has (sic) exceeded the ability of engineering teams to resolve them.”

Brown is accused of being aware of the company’s cybersecurity issues, but failing to resolve them or elevate them to a higher level within the company.

The SEC also said the company’s disclosure of the cyberattack – known as SUNBURST – in December 2020 was incomplete.

Reuters reported In June, the SEC sent notices to several current and former Wells executives – letters the commission sends to people potentially facing enforcement action. The notices give suspects 30 days to appeal explaining why they should not face civil action.

The Texas-based company paid a $26 million settlement to shareholders last year for lawsuits linked to the computer hacking scandal. But the SEC issued Wells opinions in November, implying that the company had misled the public with its comments about protecting cybersecurity before the cyberattack.

The accusations will certainly be revive the concerns of CISOs about the responsibilities associated with their position that came to light earlier this year when former Uber security chief Joe Sullivan was sentenced to three years of probation by a US federal judge for his handling of a data breach.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment