The US Securities and Exchange Commission (SEC) has filed a lawsuit against SolarWinds Corporation and its Chief Information Security Officer (CISO) [2] [3], Timothy G Brown [1] [4] [6] [7], for allegedly misleading investors about the company’s cybersecurity practices prior to a cyberattack by Russian hackers in 2019 [6].


The SEC complaint accuses SolarWinds of not disclosing specific deficiencies in its security practices and misrepresenting its cybersecurity measures. It also names Brown, which is unusual for a CISO to be included in SEC charges. The complaint alleges that SolarWinds downplayed security concerns and that internal documents and presentations showed knowledge of security risks within the company [1]. Brown himself made presentations downplaying the company’s security risks. SolarWinds strongly denies the charges and plans to vigorously defend itself in court. The company has criticized the lawsuit as “unfounded” and a potential risk to national security. Brown’s lawyer has also defended his client’s reputation [2], stating that he diligently performed his job. The SEC complaint seeks various penalties and relief [1], including an officer and director bar against Brown [1] [4]. Following the filing of the lawsuit [2], SolarWinds’ stock price dropped by over 3% after market hours. The SEC charges SolarWinds and Brown with fraud related to security failings leading up to the breach [7]. The complaint states that SolarWinds’ public statements contradicted its internal assessments [7], including a 2018 presentation that highlighted the company’s insecure remote access setup [7]. Brown is accused of ignoring red flags and not addressing or disclosing known vulnerabilities [7]. Experts believe that these charges will make CISOs more cautious [7], as they are often held responsible for breaches and attacks [7]. They advise CISOs to prioritize honesty [7], transparency [7], and detailed reporting [7], and to ensure that their organizations act consistently with their understanding of the security environment [7]. The lawsuit has caused significant concern within corporate America [3]. The hack [6], which occurred in 2019 and was discovered in 2020 [6], compromised several US government departments [6], security companies [1] [6] [8], tech firms [6] [8], universities [6], and hospitals [6]. The SEC’s complaint also highlights SolarWinds’ lax password practices [6], including the use of the password “solarwinds123.” SolarWinds CEO Sudhakar Ramakrishna criticized the SEC’s enforcement action and vowed to oppose it [6]. SolarWinds hackers also targeted NASA and the Federal Aviation Administration networks [6]. The SEC alleges that SolarWinds and Brown deceived investors by exaggerating the company’s cybersecurity practices and failing to disclose known risks [5]. The agency claims that SolarWinds and Brown only disclosed generic and hypothetical risks while being aware of specific deficiencies in their cybersecurity practices [5]. Additionally, the SEC alleges that SolarWinds made an incomplete disclosure about the attack in its initial filing [5].


The lawsuit against SolarWinds and its CISO has raised concerns about the accountability of CISOs and the need for honesty, transparency [7], and detailed reporting in cybersecurity practices. The charges may lead to increased caution among CISOs, who are often held responsible for breaches and attacks [7]. The hack [6], which compromised various organizations, including government departments and tech firms, highlights the importance of robust cybersecurity measures. The lax password practices and incomplete disclosure by SolarWinds further underscore the need for organizations to prioritize security and disclose known risks accurately. The outcome of this lawsuit will have implications for the cybersecurity industry and may shape future regulations and practices.