SolarWinds Faces SEC Legal Action Over Alleged Cybersecurity Misrepresentation

The U.S. Securities and Exchange Commission (SEC) has filed legal actions against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown. The SEC’s complaint claims that the company disregarded numerous warnings about cybersecurity threats and falsely portrayed its cybersecurity measures, violating regulations regarding Cybersecurity Risk Management.

This legal move follows a significant cyberattack believed to be orchestrated by SVR, Russia’s foreign intelligence agency. The attack was executed through an update to Orion, SolarWinds’ network management software, which affected around 18,000 clients. Notable victims included major corporations and critical U.S. government agencies, such as the Treasury, Justice, Energy departments, and the Pentagon.

The SEC’s complaint points out inconsistencies between SolarWinds’ public statements about its cybersecurity practices and internal conversations about breaches of the company’s cybersecurity policies and recognized vulnerabilities.

In response, SolarWinds expressed its dissatisfaction with the allegations, labeling them as unfounded and an example of regulatory overreach. The company reaffirmed its dedication to cybersecurity, as demonstrated by its Secure by Design initiatives.

This action by the SEC highlights the agency’s commitment to enforcing its guidelines and addressing cybersecurity issues within public companies. It also sheds light on the security deficiencies that can exist in public firms, as evidenced by SolarWinds’ internal communications.