SEC Charges SolarWinds, CISO with Fraud over Security Risk Disclosures
Date: 31 October 2023
The U.S Securities and Exchange Commission (SEC) has sued SolarWinds and its Chief Information Security Officer, Timothy Brown, for allegedly deceiving investors and the public over risk disclosures.
The SEC has alleged that the organisation and its CISO exaggerated the company's cybersecurity measures and minimised or neglected to mention acknowledged threats amid one of the most high-profile attacks that SolarWinds suffered.
The SEC filed its lawsuit in Manhattan federal court. The formal accusation made by the SEC highlights how SolarWinds breached the Securities Act of 1933 and the Securities Exchange Act of 1934's anti-fraud regulations. The SEC aims to impose a permanent injunction and monetary fines on SolarWinds, and a prohibition against Brown from holding executive or directorial roles.
SEC Sues SolarWinds and CISO: What Exactly Happened?
The APT29 threat group from Russia successfully infiltrated SolarWinds' internal mechanisms and compromised the SolarWinds Orion IT management platform, affecting builds released from March 2020 to June 2020.
These compromised builds were utilised to introduce the Sunburst backdoor into the systems of "less than 18,000" entities. Notably, from this extensive pool, the attackers selectively chose a significantly smaller group for further exploitation.
With this attack, criminals were able to breach several prominent organisations in Corporate America, including numerous U.S. government departments such as Defence, Justice, Commerce, Treasury, Homeland Security, State, and Energy.
Find out all about what exactly happened in one of the most massive supply chain attacks ever in our exhaustive SolarWinds Cyber Attack Timeline.
According to the SEC, from its public introduction in October 2018 to the revelation of the cyber breach in December 2020, SolarWinds, alongside Brown, presented only general and speculative risks to their investors. They disregarded the specific and well-known shortcomings in the company's cybersecurity posture and the mounting challenges they were simultaneously encountering.
An internal presentation by SolarWinds in 2018, apparently, acknowledged the vulnerabilities in its remote access infrastructure, highlighting potential significant reputational and financial implications.
By June 2020, Brown voiced apprehensions regarding the cyber attack on a SolarWinds client. He suggested the possibility of the Orion software being exploited for broader malicious activities. Yet, with knowledge of these vulnerabilities, Brown did not take sufficient measures to rectify them internally. The SEC has alleged that even with Brown's awareness of distinct shortcomings in SolarWinds' cybersecurity measures, the company reported only generalised risks in its documentation throughout that time frame.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir Grewal, director of the SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
A SolarWinds spokesperson responded with this statement: “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
What does this mean for Businesses & CISOs around the world?
The SEC’s suing of Timothy Brown is sure to raise concerns with CISOs around the world. Questions regarding the personal liabilities of the CISO’s position, which made for a hot debate topic when Uber’s CISO Joe Sullivan was convicted last year, are sure to set alight again. CISOs across the world are probably rethinking their cybersecurity response strategies at this point and wondering how to balance business goals with strategic security actions.
This brings us back to the most fundamental aspect of cybersecurity readiness and leadership that we at Cyber Management Alliance always harp upon - Incident Response & Preparation.
In the current threat landscape, there is no way to escape attacks. And if you’re unfortunate, an attack the size of SolarWinds may throw you off at some point in your career.
The obvious upshot of the SEC’s action will be heavily increased engagement between boards and CISOs everywhere. It is almost certain that executive teams of large organisations will prioritise a review of their cybersecurity posture and risks.
However, the need of the hour is to establish robust enterprise risk frameworks that can actually help evaluate cyber threats and risks effectively and as objectively as possible. And then act upon the knowledge of these risks which sufficient preparation and training.
Here’s the opinion of our cybersecurity experts on what concerned businesses, CISOs and management teams should do immediately to address the concerns that the SEC’s actions have raised:
- Cyber Incident Response: An effective cyber incident response plan ensures that you are prepared to swiftly and efficiently manage breaches or attacks. It also demonstrates your organisation's commitment to cybersecurity, fostering trust among stakeholders and clients. Without such planning, you remain vulnerable, potentially risking your operational continuity and stakeholder confidence.
Without trying to vilify anyone, we have to take into consideration the key messages from the SolarWinds incident and the SEC news. Make sure you know what threats face your business and prepare against these threats.
Spend time building a solid Cyber Incident Response Plan for your business, practise and rehearse it with cyber attack drills, identify loopholes and fix them. Know how you’ll communicate when the worst happens, who will lead the communications and who will make sure they’re as transparent as possible. We cover all these topics and more in our NCSC Assured Training in Cyber Incident Planning and Response.
- Board Engagement: The SEC taking on SolarWinds has made one thing clear - security can no longer be looked at in isolation. It’s not just a CISO problem, even if the bulk of the burden falls on the CISO’s individual shoulders. The Board, Senior Management, Executive teams have to be involved in security at a whole new level.
Exercises like our Executive Briefing and Awareness Sessions raise board awareness contextually and help them truly understand the risks their business faces. The Cyber Tabletop Exercise for Executives enables them to practise decision-making for a cyber incident and bolsters overall cybersecurity leadership. If recent events have shown us anything, it’s that executive preparedness for cyber-attacks is paramount today.
- Risk Assessment, Evaluation & Implementation of Controls: Cybersecurity risk assessment is an essential component of your information security posture. It is only through a systematic evaluation of potential threats and vulnerabilities, that you’ll get the right insights into the possible risks that your assets and operations face.
A formal evaluation ensures a comprehensive, structured, and consistent approach, enabling you to prioritise and address risks in a manner that aligns with strategic objectives and regulatory requirements. Moreover, it lays the groundwork for informed decision-making, ensuring resources are allocated effectively to mitigate the most pressing threats, thereby safeguarding your organisation's reputation, assets, and stakeholder trust.
If you’re unsure about how to conduct a risk assessment, a tabletop exercise or achieve compliance with regulatory requirements, our Virtual Cyber Assistants can help. In the most cost-effective, flexible and time-effective way, our cybersecurity experts can help you enhance your security posture at a speed that you decide.
For more information, reach out to us at firstname.lastname@example.org.