SolarWinds is taking a strong stance against charges brought by the Securities and Exchange Commission (SEC) over handling the 2020 Russian-backed cyber espionage attack on its Orion platform. In a recent filing, the company argued that the SEC was overstepping its authority and expertise in charging SolarWinds and its chief information security officer, Tim Brown, with securities fraud and internal controls failures.
The SEC alleged that SolarWinds failed to implement appropriate cybersecurity controls to protect its systems, despite being aware of the insufficiency of these controls. Furthermore, the SEC accused Brown of misleading customers about the potential threat and profiting from insider information by selling SolarWinds stock before the cyberattack became public knowledge.
However, in response to the charges, SolarWinds has offered a detailed denial of the SEC’s accusations. The company’s legal team has emphasized that SolarWinds made accurate disclosures both before and after the cyberattack, and it contends that the charges brought forth by the SEC are unfounded. Additionally, SolarWinds argues that the SEC has failed to specifically identify which security controls violated regulation and is attempting to expand its role into regulating public companies’ cybersecurity controls, a role for which the SEC lacks congressional authorization or substantive expertise.
SolarWinds asserts that it and Brown acted appropriately and maintained transparency throughout their response to the cyberattack. The company insists that it is being unjustly characterized as a perpetrator rather than a victim of cybercrime. SolarWinds claims that the SEC’s charges are unprecedented and unfounded, aiming to “revictimize the victim.”
The company’s adamant denial sets the stage for a legal battle against the SEC’s charges. SolarWinds has vowed to mount a strong defense in court, and its legal team is pushing for the dismissal of the allegations brought against the company and Brown.
The dispute between SolarWinds and the SEC underscores the complexity of cybersecurity regulations and the increasing scrutiny faced by companies in the aftermath of cyber incidents. As the legal proceedings unfold, the outcome of this case will likely have broader implications for how regulatory bodies govern cybersecurity practices in the corporate sector. The clash between SolarWinds and the SEC is poised to be closely watched by industry experts and cybersecurity professionals as a potential precedent-setting legal battle in the realm of cybersecurity regulation.