SolarWinds’ motion to dismiss a federal lawsuit accusing the company and its CISO of securities fraud has stirred up controversy around the Securities and Exchange Commission’s (SEC) allegations and brought cybersecurity disclosure requirements into the spotlight.
In response to the charges filed last October by the SEC, SolarWinds filed a court motion calling the accusations “as unfounded as they are unprecedented” and sought to have the case dismissed, citing the need to avoid re-victimizing the company in the wake of a Russian intelligence hacking campaign.
The lawsuit in question accuses SolarWinds and its CISO, Tim Brown, of fraud and internal control failures, alleging that they misled investors about the company’s “serious cybersecurity deficiencies” and the resulting risks to the business. The SEC seeks to permanently ban Brown from serving as an officer or director of a publicly traded company, impose civil monetary penalties, and recover any ill-gotten gains.
The case has captured attention on multiple fronts, particularly due to the fact that it marks the first time the regulator has charged an individual over alleged cybersecurity shortcomings. SolarWinds’ defense counsel has petitioned for the company’s cybersecurity incident response plan to be presented as evidence, albeit under seal, citing the sensitive nature of the information.
Brown, who served as SolarWinds’ vice president of security and architecture and head of the information security group, is at the center of the alleged misconduct, which is said to have occurred from the company’s October 2018 initial public offering until at least December 2020. This timeline aligns with the revelation that SolarWinds’ Orion product had been targeted in a significant supply chain hack attributed to Russia’s Foreign Intelligence Service, the SVR.
The SEC’s complaint alleges that SolarWinds’ public statements about its cybersecurity practices and risks differed markedly from internal discussions and assessments. The regulator cited evidence showing concerning shortcomings in the company’s secure development life cycle, vulnerabilities, poorly protected legacy accounts, and statements concerning specific risks posed by “sophisticated nation-state” actors.
SolarWinds has argued in response that its statements to investors included specific warnings about its vulnerabilities, and that the claims made by the SEC about the need for detailed vulnerability information in its SEC filings are not legally required. The company has also emphasized that the disclosure of such details would be unhelpful to investors and impractical for companies, potentially providing roadmaps for attackers.
During the fallout from the Sunburst campaign, SolarWinds contends that it disclosed key facts about the attack and its severity, noting that as many as 18,000 customers were at risk of compromise. The company also asserts that it promptly assisted with investigations launched by the FBI and the U.S. intelligence community.
The ongoing legal battle between SolarWinds and the SEC underscores the growing importance of cybersecurity disclosure requirements and the scrutiny faced by organizations in the wake of high-profile cyber incidents. As the case continues to unfold, it is likely to have far-reaching implications for future regulatory actions related to cybersecurity.