SolarWinds: From Cybersecurity Nightmare to SEC’s Most Wanted

The U.S. Securities and Exchange Commission (SEC) has filed charges against SolarWinds and its CISO, Timothy G. Brown, for allegedly misleading investors about their cybersecurity practices and known risks. The charges stem from supposed fraud and internal control failures related to cybersecurity weaknesses between the company’s October 2018 IPO and the December 2020 revelation of the SUNBURST cyberattack.

Hot Take:

Well, well, well, if it isn’t SolarWinds back in the spotlight, but this time it’s not about a cyberattack. It’s about allegedly playing fast and loose with the truth. The SEC has filed charges against the company and its CISO, Timothy G. Brown, for supposedly misleading investors about their cybersecurity practices and known risks. This isn’t an episode of “Law and Order: Cyber Crime Unit,” it’s the actual SEC. It seems that SolarWinds was hiding more than Easter eggs. Buckle up, folks, this is going to be an interesting ride.

Key Points:

  • The SEC has filed charges against software company SolarWinds and its CISO, Timothy G. Brown, for allegedly misleading investors about cybersecurity practices and known risks.
  • The charges stem from supposed fraud and internal control failures related to cybersecurity weaknesses between the company’s October 2018 IPO and the December 2020 revelation of the SUNBURST cyberattack.
  • The SEC complaint alleges that SolarWinds disclosed only vague and hypothetical risks while internally acknowledging specific cybersecurity deficiencies and escalating threats.
  • A key piece of evidence is a 2018 internal presentation stating that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to significant reputation and financial loss.
  • Despite being aware of these cybersecurity risks and vulnerabilities, Brown is accused of failing to address them adequately within the company.

The Back Channel:

"Sunburnt by SolarWinds"

This saga began when the SEC filed charges against SolarWinds and Timothy G. Brown, accusing them of deceiving investors by overstating their cybersecurity practices while understating or failing to disclose known risks. This is like saying your house is burglar-proof while leaving the front door wide open.

"The Smoking Gun"

The SEC’s case hinges on a 2018 internal presentation prepared by a SolarWinds engineer that was shared internally, including with Brown. The presentation stated that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to “major reputation and financial loss” for the company. It's like the cat was out of the bag, but no one bothered to chase it.

"Word of Warning"

There were also internal communications among SolarWinds employees raising questions about the company’s ability to protect its critical assets from cyberattacks. Brown himself expressed concerns that an attacker could use SolarWinds’ software in larger attacks. Yet, despite these glaring red flags, these risks were apparently not adequately addressed within the company. It's a classic case of the "I told you so" syndrome.

"The Aftermath"

SolarWinds’ incomplete disclosure about the SUNBURST attack resulted in a significant drop in the company’s stock price. It fell approximately 25 percent over the next two days and around 35 percent by the end of the month. Talk about a nasty sunburn!

"The Defense"

SolarWinds, not surprisingly, plans to “vigorously oppose this action by the SEC.” Their CEO, Sudhakar Ramakrishna, voiced concerns that the SEC’s charges could hinder the open information-sharing across the industry that cybersecurity experts agree is needed for collective security. It's like being caught speeding and then complaining about the traffic rules. Good luck with that defense, SolarWinds.
Tags: cyber fraud, cybersecurity risks, Financial Securities Act Violations, Securities and Exchange Commission, software supply chain, SolarWinds, SUNBURST Cyberattack