On Monday the Securities and Exchange Commission (SEC) has filed charges against SolarWinds and its Chief Information Security Officer (CISO) Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and risks. The charges stem from internal control failures and alleged fraud related to known cybersecurity weaknesses. The failures took place between the company’s 2018 initial public offering and its December 2020 revelation of a cyberattack named “sunburst.”
The cyberattack involved Russian-linked threat actors that breached SolarWinds systems in 2019, or earlier. The hackers compromised the automated build environment for t the Orion monitoring software and pushed out malicious Orion updates to SolarWinds customers in the spring of 2020. According to the SEC complaint, the company and CISO are accused of misleading investors by overstating the company’s cybersecurity practices and understating, or not disclosing, known risks. The company is alleged to only have disclosed vague and hypothetical risks while internally acknowledging specific cyber deficiencies and escalating threats. The complaint identifies a 2018 presentation and internal communications among SolarWinds employees, including Brown as evidence.
Read More: SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures