October 30, 2023 at 09:54PM
The Securities and Exchange Commission (SEC) has filed charges against SolarWinds and its Chief Information Security Officer (CISO), alleging that the company misled investors about its cybersecurity practices and known risks. The charges stem from alleged fraud and internal control failures related to cybersecurity weaknesses. SolarWinds is accused of disclosing vague risks while internally acknowledging specific deficiencies. The SEC’s complaint cites internal communications and documents that highlight concerns about the company’s cybersecurity posture. The incomplete disclosure about the cyberattack led to a significant drop in the company’s stock price. SolarWinds’ CEO claims the SEC’s action is misguided and risks hindering cybersecurity information-sharing.
Key takeaways from the meeting notes are as follows:
– The Securities and Exchange Commission (SEC) has filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, for allegedly misleading investors about the company’s cybersecurity practices and known risks.
– The charges are related to alleged fraud and internal control failures regarding known cybersecurity weaknesses between SolarWinds’ IPO in October 2018 and the disclosure of the “SUNBURST” cyberattack in December 2020.
– The cyberattack involved Russia-linked threat actors breaching SolarWinds’ systems and compromising the company’s Orion monitoring software.
– The SEC’s complaint alleges that SolarWinds and Brown deceived investors by overstating cybersecurity practices while understating or failing to disclose specific risks.
– Internal documents and communications within SolarWinds, including presentations and employee discussions, suggest concerns about the company’s cybersecurity posture and its ability to protect critical assets.
– Brown is accused of failing to adequately address these cybersecurity risks within the company, leading to a lack of reasonable assurances for the protection of assets like the Orion product.
– SolarWinds’ incomplete disclosure about the SUNBURST attack resulted in a significant drop in the company’s stock price.
– The complaint charges SolarWinds and Brown with violating antifraud provisions and reporting/internal control provisions of securities acts, seeking various remedies including injunctive relief, disgorgement, civil penalties, and an officer and director bar against Brown.
– SolarWinds’ CEO claims the company had appropriate cybersecurity controls before the incident and intends to vigorously oppose the SEC’s action, expressing concerns about the impact on information-sharing and public-private partnerships in the cybersecurity industry.