SEC Accuses SolarWinds CISO of Fraud Preceding Cyberattack

The U.S. Securities and Exchange Commission (SEC) revealed on Monday its intent to file charges against SolarWinds’ Chief Information Security Officer, Timothy Brown. He stands accused of fraudulent activities related to alleged misrepresentation of the company’s cybersecurity practices and failure to disclose known risks to investors. The SEC complaint, filed in the Southern District of New York, specifically pertains to violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.

The SEC is seeking permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director ban against Mr. Brown. These actions follow a prolonged period during which the SEC hinted at potential charges against SolarWinds executives due to their involvement in a nearly two-year cyberattack attributed to the Russian Foreign Intelligence Service.

Internal Malware Attack 

This cyberattack involved the insertion of malware into SolarWinds’ Orion IT monitoring application, providing Russian operatives with access to valuable targets. The hackers subsequently deployed additional malware to compromise internal and cloud-based systems, resulting in the theft of sensitive information over several months. The attack had significant repercussions, enabling Russian hackers to infiltrate numerous prominent organizations, including various U.S. government departments.

The SEC alleges that SolarWinds and Mr. Brown intentionally concealed cybersecurity deficiencies and elevated risks while misleading investors from the time of the company’s October 2018 initial public offering through at least the December 2020 disclosure of the cyber breach. The enforcement action asserts that SolarWinds and Mr. Brown presented a misleading picture of the company’s cybersecurity environment, depriving investors of critical information.

The SolarWinds Hack Explained | Cybersecurity Advice

False Allegations?

Gurbir Grewal, Director of the SEC’s Division of Enforcement, stated, “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

SolarWinds responded to the charges with a statement expressing disappointment in the SEC’s actions. The company emphasized concerns about the potential national security implications of the charges and labeled them as an example of regulatory overreach. They also pledged to clarify the matter in court and maintain their commitment to cybersecurity.

Mr. Brown’s legal representation stressed his diligent and responsible approach to improving the company’s cybersecurity during his tenure, vowing to defend his reputation and address inaccuracies in the SEC’s complaint.

The SEC has shared internal reports indicating security vulnerabilities within SolarWinds’ remote access setup, potential risks to critical assets, and concerns about the company’s ability to safeguard these assets from cyberattacks. The complaint also details communications among SolarWinds employees, including Mr. Brown, questioning the company’s cybersecurity capabilities.