A recent announcement by the SEC reveals SolarWinds Corporation and its CISO are facing charges for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities related to a 2020 cyberattack.
The Securities and Exchange Commission (SEC), allege that Austin, Texas-based software company SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy G. Brown, didn’t disclose known vulnerabilities which led to the historic attack, and repeatedly violated antifraud disclosure and internal control provisions.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. [This] enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result, the company allegedly couldn't provide reasonable assurances that its most valuable assets — including its flagship Orion product — were adequately protected.
According to the release, SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing.
Security leaders weigh in
The role of a Chief Information Security Officer, as well as other high-level security roles within an organization, comes with many challenges and stresses which may lead to the position becoming increasingly difficult to fill. A recent Gartner study predicts nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors, by 2025.
Here, security leaders share their thoughts on the recent charges against SolarWinds Corporation and its CISO, and its implications for the security industry.
Timothy Morris, Chief Security Advisor at Tanium:
“The recent SEC fraud charges against SolarWinds, and more specifically its CISO, is the latest example of high-profile attacks drawing much-needed attention to cybersecurity skills and processes required to protect organizations.
The charges add another layer of complexity to the already overstressed CISO role, as fully complying with regulatory disclosure requirements while protecting investigation and response efforts is not easy, even on a good day. Given today’s threat landscape, it’s crucial that CISOs know what their organizations are doing and document what they know. This is key as the complaint here is that what was documented was misleading (or fraudulent).
With SolarWinds’ CISO now under the microscope, and Uber’s former CISO making similar shock waves last year, we can expect turnover in this role. In fact, Gartner predicts that almost half of cyber leaders will change jobs by 2025 and a full quarter will change career paths entirely due to the mental and emotional toll associated with their job.
While most security leaders aren’t fond of regulations, they should still be taken extremely seriously. All regulations have consequences if not adhered to, and it is often in the regulator’s eye as to how and when those are enforced. The current regulatory climate is proving the old adage which says, ‘You can delegate or outsource the work but not the responsibility.’ CISOs should work closely with the entire C-suite and Board to raise security awareness and visibility, while ensuring compliance with evolving federal mandates.”
Jake Williams, former U.S. National Security Agency (NSA) hacker and faculty member at IANS Research:
"The headline here is in paragraph 10 of the legal complaint: the commissions and false statements about security would have violated securities laws even if SolarWinds hadn't been targeted. That they were targeted only served to highlight the issues.
CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what's being communicated to the public is rooted in reality rather than spin and wishful thinking. For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit. Don't be surprised to see that standard used in litigation if you make false, incomplete, or misleading statements about security to customers or business partners."
George Jones, Chief Information Security Officer at Critical Start:
“This could have a chilling effect on other CISOs, causing them to be more cautious about providing inaccurate information or incomplete information to investors or the public. It could also lead to an increase in transparency and accuracy in reporting cybersecurity practices.
I believe this will heighten the shortage of qualified CISOs that already exists. The demand for skilled cybersecurity workers is high due to the increased importance in today’s digital world, but such legal actions can deter some individuals from taking on CISO roles or make them more risk averse.
If he was knowingly misleading investors, he should have been charged. There is some question as to how much he knew about the security gaps, and there could be plausible deniability, but I would expect to be acutely aware of cybersecurity gaps that exist in my purview and either accept them as a known risk or have a plan on the roadmap to remediate them.
In situations where there is a significant risk for an organization, it is the responsibility of the CISO to raise that risk to the CEO and Board of Directors for awareness. If the group accepts the risk, it should be recorded on the company risk register as a known item that was presented and accepted in its operational state. Having a Risk Governance Steering Committee allows an organization to socialize these issues and take a group approach to discussing potential risks and solutions, prioritizing risks and achieving organizational buy-in on risk acceptance. The outcome of this committee is presented to the BoD for their review and consideration, allowing the CISO to provide highest level awareness and understanding of the landscape.”
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties and an officer and director bar against Brown.
The complaint alleges that, from at least its October 2018 initial public offering through its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
As the complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”