Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Government can move slowly, but it does move eventually.
Nearly three years after the December 2020 SolarWinds hack, the SEC charged the company with fraud for misleading investors about its security capabilities. As IT Brew reported last year, perceived federal inaction on the hack has drawn criticism.
SolarWinds and its former VP of Security and Architecture, Tim Brown, were named in the filing. The SEC charged Brown and the company as a whole with having “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks” between “at least October 2018 through at least January 12, 2021.”
The Southern District of New York complaint charged SolarWinds under provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. After Russian hackers used malware installed in SolarWinds’s Orion platform to compromise systems, including several federal agencies, SolarWinds represented it as a sophisticated attack.
But the new information provided in the filing indicates the real problem may instead have been that the company’s security was weak—and that SolarWinds misrepresented its readiness to shareholders as far back as 2018. The company’s cybersecurity risk disclosure, according to the filing, “failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement.”
"The SEC's role in cybersecurity is controversial, with business groups saying its investigations can shift blame to the victim," according to the Wall Street Journal. SolarWinds attorney Sean Berkowitz told the Journal that the SEC is "improperly trying to appoint itself the cybersecurity police for public companies.” The filing marks the first time the SEC has targeted a public company for being hacked.
“The agency’s overreach into this complex area should alarm all public companies and cybersecurity professionals across the country,” Berkowitz said.
SEC Division of Enforcement director Gurbir Grewal said that the risks were so well known at SolarWinds that concealing them from investors prior to the attack counted as fraud.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Grewal told The Record. “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”