SEC charges SolarWinds CISO with fraud for misleading investors before major cyberattack

The Securities and Exchange Commission (SEC) announced on Monday evening that it plans to charge SolarWinds Chief Information Security Officer Timothy Brown with fraud for his role in allegedly lying to investors by “overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”

The complaint was filed in the Southern District of New York and centers on violations of the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934. The SEC “seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.”

For months, the SEC hinted that it planned to charge SolarWinds executives for their role in a nearly-two year cyberattack that the U.S. government attributed to the Russian Foreign Intelligence Service.

Hackers found a way to insert malware into a version of the company’s Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.

The attack allowed Russian hackers to infiltrate several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.

The SEC said between its October 2018 initial public offering through at least its December 2020 announcement of the hack, SolarWinds “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir Grewal, director of the SEC’s Division of Enforcement.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

Brown is facing charges related to fraud and internal control failures due to the fact that the company’s official statements were “at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally.”

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk," a SolarWinds spokesperson said in a statement. "The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments."

A lawyer for Brown said he performed his job with "diligence, integrity, and distinction. Mr. Brown has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint."

According to the SEC, internal reports shared with Brown said SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the issues “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.

The SEC said it has evidence that presentations by Brown in both 2018 and 2019 said the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Multiple communications were sent among Brown and other SolarWinds employees questioning whether the company could protect critical assets from cyberattacks.

The SEC complaint shares evidence that in one incident involving a cyberattack on a SolarWinds customer, Brown acknowledged that an attacker may have tried to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient.”

Brown was later informed in September 2020 by an employee that the “volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”

Brown is accused of being aware of the company’s cybersecurity issues but failing to either resolve them or raise them to a higher level within the company.

The SEC also said the company’s disclosure of the cyberattack — known as SUNBURST —- in December 2020 was incomplete.

Reuters reported in June that the SEC sent several current and former executives Wells notices – letters that the commission sends to people potentially facing enforcement action. The notices give suspects 30 days to file appeals arguing why they should not face civil action.

The Texas-based company paid a $26 million settlement to shareholders last year over lawsuits related to the hacking scandal. But the SEC issued Wells notices in November, implying the company had misled the public with its comments about cybersecurity protection in the run-up to the cyberattack.

The charges are sure to reignite concerns among CISOs about the liabilities associated with their position that were raised earlier this year when former Uber Chief Security Officer Joe Sullivan was given three years probation by a U.S. federal judge for his handling of a data breach.