The U.S. Securities and Exchange Commission has charged SolarWinds and its top cybersecurity executive Timothy Brown with fraud and internal control failures for allegedly misleading investors about the company’s cybersecurity practices prior to a cyberattack launched by Russian hackers in 2019.
In a statement published late Monday, the SEC said SolarWinds “allegedly misled investors by disclosing only generic and hypothetical risks” at a time when SolarWinds and Brown knew of “specific deficiencies” in SolarWinds’ security practices and the increasing risks that the company was facing at the time.
The SEC’s complaint accused the company of making claims, including about its own security practices, that were “at odds” with its internal assessments. In one case, the SEC said Brown, who currently serves as SolarWinds’ chief information security officer, made presentations in the years prior to the hack that stated the company’s security practices were in a “very vulnerable state.”
But the federal regulator said that Brown failed to sufficiently raise security risks to the company or resolve them.
Gurbir S. Grewal, who oversees the SEC’s enforcement unit, said SolarWinds and Brown “ignored repeated red flags” and “engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
“Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns,” said Grewal.
SolarWinds was hacked as far back as 2019 by a group of government hackers associated with Russia’s foreign intelligence service, who broke into SolarWinds’ network and planted a backdoor in the code of the company’s flagship Orion network management product. When the tainted Orion software was pushed to SolarWinds’ customers as a software update, the hackers gained access to every network running the compromised software, including private companies and federal agencies.
The hack was discovered almost a year later in 2020, during which several U.S. government departments were confirmed compromised, including NASA, Homeland Security and the Department of Justice, as well as security giant FireEye, and several tech companies, universities, and hospitals.
The SEC told SolarWinds in November 2022 that it faced enforcement action following the cyberattack, warning that the company’s cybersecurity disclosures and public statements were under scrutiny.
Following the breach, former SolarWinds chief executive Kevin Thompson was pilloried by U.S. lawmakers for blaming an intern for using the now-infamous password, “solarwinds123,” on a SolarWinds file server for several years until it was discovered by a security researcher. The SEC said in its complaint filed in a New York federal court that the simplicity of this password “did not comply with the company’s stated password complexity requirements,” which conflicted with SolarWinds’ publicly posted security statement. The SEC said that SolarWinds and Brown’s “misstatements and omissions regarding password issues were not only false and misleading, but materially so.”
A SolarWinds spokesperson declined to comment on the record. In a blog post published shortly after the SEC’s announcement, SolarWinds CEO Sudhakar Ramakrishna accused the SEC of launching a “misguided and improper enforcement action” against the company and that it will “vigorously oppose this action.”
Alec Koch, an attorney for Brown, said that he looks forward to defending Brown’s reputation and “correcting the inaccuracies in the SEC’s complaint.”