The U.S. Securities and Exchange Commission filed fraud charges Monday against SolarWinds Corporation, an Austin publicly traded company that provides information infrastructure software used by thousands of businesses and government agencies, for alleged failures regarding cybersecurity risks and vulnerabilities.
The SEC filed a 68-page complaint in the Southern District of New York that accuses SolarWinds and its chief information security officer, Timothy G. Brown, with making “materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices in at least three types of public disclosures” between 2018 and 2020.
The lawsuit alleges that SolarWinds defrauded its investors and customers through “schemes that concealed both the company’s poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”
“SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the company’s cybersecurity policy violations, vulnerabilities and cyberattacks,” the SEC complaint states.
But Brown, in an internal document obtained by the SEC, wrote that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”
The SEC also cites a communication from one of Brown’s subordinates: “We’re so far from being a security minded company.”
“The true state of SolarWinds’ cybersecurity practices, controls, and risks ultimately came to light only following a massive cyberattack — which exploited some of SolarWinds’ poor cybersecurity practices — and which impacted thousands of SolarWinds’ customers,” the SEC states. “That attack, termed SUNBURST, compromised SolarWinds’ Orion software platform, a flagship product that the company considered to be a ‘crown jewel’ asset and which accounted for 45 percent of its revenue in 2020.”
Efforts to obtain a comment from SolarWinds has been unsuccessful.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The case is Securities and Exchange Commission v. SolarWinds Corp. and Timothy Brown. SDNY, No. 1-23-cv-09518.