The Securities and Exchange Commission (SEC) has brought charges against SolarWinds Corporation and Timothy G. Brown, the company’s chief information security officer. The SEC claims that the software company committed fraud by failing to disclose known cybersecurity risks and vulnerabilities. The company was the victim of a two-year-long cyberattack, called “SUNBURST,” from October 2018 to December 2020. According to the SEC, SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.
The complaint was filed in the Southern District of New York and the SEC asserts that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934. In addition, the SEC alleges that SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.
In a recent quote, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company. Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”