After a major hack in 2020, SolarWinds is now charged with fraud

The Securities and Exchange Commission (SEC) has announced charges against software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown. It’s accused of misleading investors about its cybersecurity practices and known risks before the 2020 cyberattacks.

The Austin, Texas-based company is charged with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

SolarWinds found itself at the epicenter of a major cybersecurity breach in 2020. The incident, famously dubbed SUNBURST, sent shockwaves through the tech industry and beyond.

SEC’s complaint alleges that SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks from at least its October 2018 initial public offering through to at least December 2020. Then, the company announced it was the target of a massive, nearly two-year-long cyberattack.

“SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time,” the SEC press release reads.

SEC also found that the company’s public statements were at odds with its internal assessments.

An internal 2018 presentation by a company engineer was shared with Brown, revealing that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.

Later presentations by Brown also stated that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “access and privilege to critical systems/data is inappropriate.”

Brown was allegedly aware of the cyber risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

Sudhakar Ramakrishna, CEO of SolarWinds, sees SEC enforcement action as “misguided and improper,” also “representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.”

“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC,” Ramakrishna said in a statement.

He argues that no one is protected against novel cyberattacks. And the company‘s immediate focus after the SUNBURST attack was supporting customers, quickly containing, remediating, and eradicating the issue.

​​After the incomplete disclosure about the SUNBURST attack on December 14th, 2020, SolarWinds’s stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.

SEC’s complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown, according to the press release.

Back in December 2020, the SolarWinds supply chain attack made the headlines when a Russian cyber espionage group tampered with updates for SolarWinds’ Orion Network Management products that were used by more than 300,000 customers worldwide, including government agencies, military offices, major US telecommunications companies, education institutions, and Fortune 500 companies.