SEC Sues SolarWinds and Its CISO for Concealing Cybersecurity Failures

November 3, 2023

2 minutes read

The U.S. Securities and Exchange Commission (SEC) has put software companies on alert by filing a lawsuit against SolarWinds, and its Chief Information Security Officer (CISO), Timothy Brown, on Monday, Oct.30, for concealing information about vulnerabilities in its systems related to a massive cyber attack unveiled at the end of 2020.

SolarWinds cyberattack on supply chain

SolarWinds is the producer of a software called Orion utilized by 33,000 companies globally, including top companies and U.S. government organizations.

This software had a backdoor, a vulnerability called Sunburst, allowing the attackers to infiltrate companies where it was being used, which translated to a supply chain attack: an attack on a client through a supplier or a third-party, in this case, via computer software.

Although the case was known in December 2020, it was later revealed that the incident originated in March when the Orion update containing the backdoor was deployed, impacting thousands of companies and government entities that were using the software.

SEC Lawsuit

This lawsuit is an unusual move from a regulatory agency, with Reuters reporting that this is the first time the SEC has directed an accusation against a cyber-attack victim company, opting for the legal route over the usual resolution based on settlements.

However, the Commission maintains that Brown was aware of the company’s system vulnerabilities but didn’t adequately inform investors. Gurbir S. Grewal, who oversees the SEC’s enforcement unit, stated that SolarWinds and Brown “ignored repeated warning signs” and “engaged in a campaign to paint a false picture of their cybersecurity controls environment, thereby depriving investors of material accurate information.”

SolarWinds’ reaction

Responding to the lawsuit, SolarWinds has stated that authorities have “overreacted,” arguing that the charges are baseless and pose a threat to national security.

Based on this, a representative for SolarWinds chose not to issue an official comment. Sudhakar Ramakrishna, CEO of SolarWinds, criticized the enforcement action initiated by the SEC in a recent blog post, calling it misguided and reckless. He also stated that the decision will be vigorously confronted.

On Brown’s behalf, Alec Koch, his attorney, expressed his intention to protect his client’s image and rectify the errors present in the SEC’s indictment.

The full scope and exact details of the impact of the cyberattack remain unknown. Yet, this case highlights the growing concern about cybersecurity in companies, and the role of security tools like ByteHide Shield for application protection.

Importance of protecting applications

Application protection is a critical component of a company’s security strategy, and can be essential in mitigating legal risks associated with a security breach, while avoiding financial losses.

Why use a tool like ByteHide Shield in your business?