The US Securities and Exchange Commission (SEC) has filed a civil lawsuit against SolarWinds Corporation and its Chief Information Security Officer (CISO) [1] [2], Timothy Brown [4] [6], alleging securities fraud [1], internal controls failures [1] [5] [7], misleading investors about cyber risk [1], and disclosure controls failures [1] [3] [5]. This enforcement action suggests a potential increase in executive accountability for public reporting [5].
Description
The SEC accuses SolarWinds and Brown of making false statements in SEC filings and public statements regarding the company’s cybersecurity program [3]. They are also accused of omitting crucial information about the SUNBURST attack in their cybersecurity disclosures. Internal emails and messages serve as evidence for these claims [3]. The SEC further argues that the company’s risk disclosures in SEC filings were generic and failed to disclose known cybersecurity risks [3]. The accuracy of the company’s statement about the SUNBURST incident in a Form 8-K is disputed [3]. The SEC asserts that SolarWinds was aware of multiple instances where threat actors compromised its servers but failed to disclose this information [3]. The complaint also alleges that the company had deficient disclosure controls [3].
This case has far-reaching implications for public companies and government contractors [8], highlighting the increased accountability and scrutiny organizations handling sensitive data now face. Meeting mandatory minimum cybersecurity standards is now considered essential to fiduciary duty and national security for federal contractors [8]. It is important to note that SolarWinds is just the beginning of a coordinated federal effort to enforce cybersecurity requirements, signaling a new era of cybersecurity regulation [8].
The SEC’s complaint seeks remedies [4], including an officer and director bar against Brown [1]. This case is the first time the SEC has charged a CISO with fraud [4], underscoring the growing importance of cybersecurity in federal securities law and serving as a reminder to CISOs about the consequences of their statements regarding cybersecurity practices and risks. The SEC’s action comes ahead of new rules for public company disclosures about cybersecurity risk management and material cybersecurity incidents [1]. The SEC’s complaint highlights the importance of cybersecurity practices for publicly traded companies [2], particularly software and cybersecurity firms [2]. It alleges that the CISO failed to ensure senior executives understood the severity of cybersecurity risks and misled a customer by misrepresenting the mitigation of cybersecurity issues [2]. The complaint also criticizes the company’s incident response plan and boilerplate disclosures for failing to adequately address the elevated risks at SolarWinds [2].
SolarWinds has responded to the SEC’s lawsuit [6], denying the allegations and claiming that the SEC is twisting the facts and taking quotes out of context [6]. The company argues that the SEC lacks the authority or competence to regulate public companies’ cybersecurity [6] [7]. SolarWinds also disputes the SEC’s claims about a VPN vulnerability and its compliance with cybersecurity standards [6]. The SEC’s complaint focuses on the alleged mishandling of controls by SolarWinds’ CISO [6], Timothy Brown [4] [6]. The SEC contends that Brown ignored red flags and was aware of the company’s cyber risks [6]. SolarWinds argues that the SEC’s lawsuit will weaken cybersecurity in the industry by requiring detailed vulnerability disclosures in public filings [6].
Conclusion
This case has significant implications for executive accountability, cybersecurity regulation [1] [2] [4] [6] [8], and the importance of meeting cybersecurity standards for public companies and government contractors. It highlights the need for accurate and comprehensive disclosures regarding cybersecurity risks and incidents. The outcome of this lawsuit and the upcoming rules for cybersecurity disclosures will shape the future landscape of cybersecurity practices in publicly traded companies.
References
[1] https://www.mondaq.com/unitedstates/security/1388530/uncharted-territory-the-sec-sues-solarwinds-and-its-ciso-for-securities-laws-violations-in-connection-with-sunburst-cyberattack
[2] https://www.mondaq.com/unitedstates/security/1387850/sec-sues-solarwinds-and-its-ciso-for-fraud-and-other-violations-related-to-massive-data-breach
[3] https://www.jdsupra.com/legalnews/the-sec-sues-solarwinds-and-its-ciso-3395371/
[4] https://clsbluesky.law.columbia.edu/2023/11/13/skadden-discusses-what-secs-solar-winds-complaint-means-for-boards-information-security-officers/
[5] https://tcblog.protiviti.com/2023/11/13/flash-report-are-sec-charges-against-solarwinds-and-its-ciso-signaling-a-new-era-of-personal-accountability/
[6] https://www.informationweek.com/cyber-resilience/solarwinds-fires-back-at-sec-fraud-charges
[7] https://www.itpro.com/security/solarwinds-claims-the-sec-is-spinning-a-false-narrative-over-sunburst-response
[8] https://www.darkreading.com/risk/sec-suit-ushers-in-new-era-of-cyber-enforcement
