A complaint filed by the Securities and Exchange Commission (SEC) against SolarWinds alleges that the company downplayed its security concerns in public statements. According to the complaint, SolarWinds’ claims about its cybersecurity practices and risks were inconsistent with its internal assessments.
Internal documents from 2018 show that SolarWinds engineers were aware of security risks within the company’s core products, including a remote access setup that was found to be “not very secure.” The vulnerability in this setup could potentially allow an attacker to go undetected and carry out malicious activities, leading to significant reputation and financial losses for the company.
SolarWinds’ CEO, Brown, himself made internal presentations in 2018 and 2019 that highlighted the company’s vulnerabilities. He stated that the current state of security left the company in a vulnerable position for its critical assets and that the access and privilege to critical systems and data were inappropriate.
The SEC complaint emphasizes that “Brown and other SolarWinds employees knew that SolarWinds had serious cybersecurity deficiencies.” Internal emails, messages, and documents described various known cybersecurity risks, control issues, and vulnerabilities. These internal statements directly contradict SolarWinds’ public disclosures regarding its cybersecurity practices, risks, controls, and vulnerabilities.
In June 2020, during an investigation into a cyberattack on a SolarWinds customer, Brown expressed concern that the attacker may have been looking to use SolarWinds’ Orion software for larger attacks. He noted that the company’s backends were not resilient enough to handle such attacks.
Furthermore, an internal document shared with Brown and others two months later highlighted the overwhelming volume of security issues that had been identified. The engineering teams were struggling to resolve these issues, indicating the severity of the cybersecurity challenges faced by SolarWinds.
The SEC’s complaint raises serious questions about SolarWinds’ transparency and disclosure practices. By downplaying its security concerns in public statements while being aware of internal vulnerabilities, the company may have misled investors and the public about the actual state of its cybersecurity defenses.
The SolarWinds breach that occurred in December 2020 exposed numerous government agencies and organizations to significant risks. The attackers gained access to SolarWinds’ software update system and inserted malicious code into legitimate software updates, allowing them to infiltrate the networks of SolarWinds customers unknowingly.
The aftermath of the breach led to widespread investigations and concerns over cybersecurity practices. The SEC’s complaint adds another layer to the scrutiny faced by SolarWinds, suggesting that the company’s deceptive statements may have contributed to the magnitude of the breach.
It remains to be seen how SolarWinds will respond to the SEC’s complaint and what actions will be taken to address the alleged misleading statements. The case serves as a reminder of the importance of accurate and transparent communication regarding cybersecurity practices, as well as the potential consequences of downplaying security concerns.