SEC Charges CISO with Fraud Over Cybersecurity Failures
SEC Charges SolarWinds and Its CISO with Fraud Over Cybersecurity Failures
In a groundbreaking move, the Securities and Exchange Commission (SEC) has formally charged software giant SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy G. Brown, with fraud and internal control failures. This development, announced on October 30, 2023, centers around allegations that the company misled investors about their cybersecurity measures and the known threats they faced.
SolarWinds, based in Austin, Texas, is known for its broad clientele, which includes several major players such as Cisco, Lockheed Martin, and the U.S. Department of Justice, among others. The company has found itself at the heart of an extensive two-year cyberattack, infamously known as “SUNBURST”. The SEC complaint suggests that from the company’s initial public offering in October 2018 until the public disclosure of the attack in December 2020, SolarWinds and Brown consistently deceived investors.
They are accused of exaggerating the robustness of SolarWinds’ cybersecurity framework and downplaying or not divulging known risks. The filings with the SEC during this timeline reportedly misled investors by highlighting generic and hypothetical dangers when the company and Brown were already aware of specific weaknesses in SolarWinds’ cybersecurity measures. The risks were not merely theoretical but were identified, escalating threats the company was actively facing.
Discrepancies in Public and Internal Communications
SolarWinds’ external statements about its cybersecurity measures starkly contrasted with its internal evaluations. For instance, a 2018 internal presentation prepared by a company engineer highlighted that SolarWinds’ remote access infrastructure was “not very secure.” An exploitation of its vulnerabilities could lead to severe reputational and financial implications for the company.
Key SEC Statement
In the report, the one statement that I found striking was the following:
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
I think it’s important to note that this lawsuit isn’t an issue of a company executive going to jail because of poor security in their company. The lawsuit is focussed on the profit Mr. Brown realized due to selling his corporate stock while knowing there were security issues that would have a negative impact should a threat become realized (which it did, and the stock dropped 35% within a month and is currently trading at a discount of 64% off its all-time high). As per the news release, the SEC is looking to:
- Stop SolarWinds and Brown permanently from doing certain things (likely related to the issues raised).
- Make them give back the money they might have gained wrongly and also pay interest on that money from before the judgment.
- Make them pay additional fines for what they did wrong.
- Prevent Brown from serving as an officer or director in any company for some time.”
Steps Companies Can Take to Avoid Similar Lawsuits
Full Transparency with Stakeholders: Companies should be completely transparent with their investors and other stakeholders about their cybersecurity measures and any known threats.
Regular Internal Audits: Conducting internal audits can help in identifying vulnerabilities and risks before they escalate into major issues.
Invest in Cybersecurity: Companies should allocate a significant portion of their budget for enhancing cybersecurity measures, training employees, and hiring experts. At Intrinsec Security, we offer industry leading training solutions such as CCSK by the Cloud Security Alliance and CCSP and CISSP certification training by ISC2.
Establish Clear Communication Channels: Employees should have clear channels to report vulnerabilities and threats, ensuring that such concerns reach decision-makers in the organization.
Stay Updated with Regulatory Requirements: Companies should ensure they are compliant with all the cybersecurity requirements and guidelines laid out by regulatory bodies.
Engage with Third-party Evaluators: Hiring third-party cybersecurity firms can provide an unbiased view of the company’s cybersecurity measures and suggest areas of improvement.
This enforcement action by the SEC serves as a wake-up call for organizations around the globe. As cyber threats continue to evolve, companies must prioritize cybersecurity to protect their assets and uphold the trust of investors and other stakeholders.