The SEC is charging SolarWinds with a claim of defrauding investors for allegedly failing to stop a massive breach at the IT company and covering up its negligent cybersecurity practices.
The US regulator is also going after SolarWinds CISO, Tim Brown, for presiding over the violations, which ensnared the US government in 2020.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said SEC
In 2020, SolarWinds suffered a data breach involving suspected Russian hackers who tampered with the company’s software products to distribute malware to customers, including US government agencies. The SEC now alleges SolarWinds could have prevented the breach since executives were aware the company’s cybersecurity posture had been lackluster for years but neglected to act.
The US regulator cites SolarWinds’ own internal reports,as evidences including a 2018 assessment shared with Brown, that pointed out the security vulnerabilities with one of the company’s own remote access systems.
Despite the warnings, SolarWinds did little to address the problems. The SEC alleges the company “defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.” In the meantime, the SEC’s complaint says hackers began infiltrating SolarWinds as early as January 2019 through a company VPN.
The lawsuit is urging a US federal court to force SolarWinds to give up all “ill-gotten gains” the company received while committing the various violations. In addition, it’s asking the judge to mandate that SolarWinds pay civil monetary penalties and to prohibit Brown from acting as a chief executive at a listed company again.
The SEC adds that enforcement action is also about sending a warning to the entire business community about coming clean with investors about known cybersecurity issues. Meanwhile, SolarWinds plans on fighting the charges in court.