The US Securities and Exchange Commission has sued SolarWinds. This IT company was breached in 2020 by Russian hackers, as part of an extensive espionage operation.
The SEC filed a complaint on Monday accusing the company, and its chief information security officer Tim Brown, of misleading investors through omissions about “known risks”, and inaccurately describing their cyber security measures.
In a press release, Gurbir Grewal said that the SEC enforcement division alleges that SolarWinds ignored red flags for years about SolarWinds cyber risks. These were known to all employees and even led a subordinate of Brown to say: “We’re far from being security-minded.”
A cyber attack of historic proportions brought to light a previously unknown Austin-based company that specialized in supply chain management. Hackers supported by Russian intelligence used a SolarWinds product to spy on companies and government organizations around the world, including US Commerce and Treasury Departments.
SolarWinds’ spokesperson stated that the company is “disappointed” by the SEC’s unfounded allegations. Brown’s lawyers said that he “performed his duties at SolarWinds”. . . They said that they were looking forward to “defending [his] reputation” with diligence, distinction, and integrity.
This is the first attempt by the SEC to hold a chief security officer personally responsible for cyber security breaches. Gary Gensler has shifted his attention to cyber risks and proposed rules that would broaden disclosures by companies.
Brown, according to the complaint wrote in an 2018 internal presentation that SolarWinds “current security state leaves us in a vulnerable state for our key assets”. SEC stated that the IPO registration documents for this deal only included “generic cyber security disclosures and hypothetical risk disclosures”.
According to the complaint, a SolarWinds engineer in 2020 told Brown that he had been “spooked by activity” at one of the company’s customers. The executive responded saying that the matter was very concerning. According to the complaint, he said: “As you know, our backends aren’t that resilient. We should definitely improve them.”
The complaint also cited internal communications from 2020 warning that “[t]he number of security issues identified in the last month has outstripped engineering teams’ capacity to resolve”.
According to the complaint, the SEC claimed that these weaknesses were exploited during what it called “one the worst cyber-security incidents in history”, which took place between January 2019 and Dec 2020.
In November 2020, a SolarWinds manager wrote an instant message saying: “[e]very time I listen to our head geeks talk about security I feel like throwing up.”