November 9, 2023 at 12:12PM
SolarWinds has strongly defended itself against the Securities and Exchange Commission’s (SEC) lawsuit over the 2020 SUNBURST cyberattack. The company called the SEC’s claims “fundamentally flawed” and stated that it had appropriate cybersecurity controls in place before the attack. SolarWinds accused the SEC of overreaching and lacking the authority to regulate cybersecurity. The company addressed technical matters related to the allegations, such as a claim about a VPN vulnerability, and challenged the SEC’s allegations about misleading statements concerning security practices and known risks. The case highlights the accountability of CISOs and may empower them in the future.
According to meeting notes, SolarWinds is strongly defending itself against the Securities and Exchange Commission’s (SEC) lawsuit regarding the 2020 SUNBURST cyberattack. SolarWinds denies the SEC’s allegations and claims that it had adequate cybersecurity controls in place before the attack. The company accuses the SEC of overreaching and lacking the authority to regulate cybersecurity. The SEC’s lawsuit focuses on how SolarWinds and its CISO allegedly misled investors about security practices and risks. SolarWinds addresses some allegations but does not directly respond to others, such as claims that it made false statements about access controls and the secure development lifecycle. The company argues that disclosing detailed security issues before an attack could be dangerous and provide a roadmap for attackers. It highlights the power and accountability of CISOs in light of the SolarWinds case, emphasizing the need for defensible public statements and adherence to high regulatory standards. SolarWinds suggests that the SEC’s lawsuit could harm security by pressuring companies to disclose sensitive information and inhibiting frank discussions about security issues.