The recent charges by the U.S. Securities and Exchange Commission (SEC) against SolarWinds, an IT management vendor, and its Chief Information Security Officer (CISO), Timothy Brown, have sparked significant concerns within the information security (infosec) industry. This comes almost three years after SolarWinds experienced a supply chain attack, which compromised several of its customers, including tech giants and the U.S. government. The attack originated from a malicious implant injected into an Orion software update.
In an official press release, the SEC accused SolarWinds and Brown of committing fraud and internal security control failures. The charges assert that from October 2018 until the disclosure of the breach in December 2020, SolarWinds and Brown deceived investors by misrepresenting the company’s cybersecurity practices and downplaying or withholding information about known risks.
The SEC claims that SolarWinds provided investors with vague and hypothetical disclosures about potential risks, while the company and Brown were aware of specific deficiencies in its cybersecurity measures. The release emphasized that SolarWinds failed to address these issues or adequately escalate them within the organization.
One notable allegation made by the commission is that SolarWinds’ employees, including Brown, expressed doubts about the company’s ability to protect critical assets from cyber attacks. However, these concerns were reportedly not adequately addressed or raised further within the organization.
Following the charges, TechTarget’s Risk & Repeat podcast featured a discussion between editors Rob Wright and Alexander Culafi. They explored the implications of the SEC’s actions against SolarWinds and Brown, examining how this might impact other Chief Information Security Officers (CISOs) and potentially alter the regulatory landscape.
The charges against SolarWinds and its CISO raise significant questions for the infosec industry as a whole. The case underscores the importance of transparency and integrity in cybersecurity practices, particularly when it comes to publicly traded companies entrusted with sensitive data and critical assets.
In recent years, supply chain attacks have become increasingly prevalent and pose a significant threat to organizations globally. SolarWinds’ incident serves as a stark reminder that not only should companies prioritize cybersecurity measures internally, but they must also ensure that their entire supply chain adheres to robust security standards.
The actions taken by the SEC in this case could have far-reaching impacts, not only on SolarWinds but also on other companies operating in the cybersecurity space. This brings into focus the need for CISOs and similar executives to prioritize cybersecurity and risk management, ensuring that they accurately report and disclose potential risks and vulnerabilities to their investors and stakeholders.
The regulatory landscape surrounding cybersecurity may also undergo significant changes as a result of this case. The SEC’s charges against SolarWinds and its CISO highlight the importance of clear and accurate disclosure of cybersecurity practices and known risks. Regulators may now intensify their scrutiny of companies operating in the infosec industry, demanding more transparency and accountability.
CISOs across various organizations may find themselves subject to increased regulatory attention and potential legal consequences if they fail to adequately disclose cybersecurity risks. The case against SolarWinds and its CISO serves as a cautionary tale, emphasizing the critical role CISOs play in safeguarding their organizations’ assets and the importance of fostering a culture of risk awareness across all levels of the company.
As the infosec industry awaits the resolution of this case and the enforcement actions that may follow, it is clear that organizations must prioritize cybersecurity practices, transparency, and accountability. The fallout from the SolarWinds incident serves as a wake-up call for the industry, reminding us all of the profound impact that cybersecurity failures can have on businesses, governments, and society as a whole.