My Blog
Technology

SolarWinds charged by SEC for failing to disclose cybersecurity problems

SolarWinds charged by SEC for failing to disclose cybersecurity problems
SolarWinds charged by SEC for failing to disclose cybersecurity problems


The Securities and Exchange Commission charged software company SolarWinds on Monday for failing to publicly disclose alleged cybersecurity failures that led to one of history’s biggest computer breaches.

In a complaint filed in the Southern District of New York, the SEC contends that SolarWinds and the company’s chief information security officer, Tim Brown, repeatedly violated the antifraud disclosure and internal controls provisions of federal securities law by not disclosing vulnerabilities that the company knew could lead to a hack.

Later, SolarWinds suffered a breach of its network monitoring software, Orion, that allowed hackers suspected to be connected to the Russian government to infiltrate thousands of customer organizations that included nine federal agencies. The breach began as early as 2019 but only became public in 2020.

On Monday, the company accused the SEC of “overreach” and described itself as “disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company.” It said it was “deeply concerned this action will put our national security at risk” by seeming to require companies to publicly reveal vulnerabilities before they have had a chance to fix them.

SolarWinds, which is headquartered in Austin, claims it has more than 300,000 customers, including 96 percent of the Fortune 500, and bills itself as a leading provider of software that manages and monitors an organization’s information technology. The Government Accountability Office called the breach “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector.”

“Dating back to at least October 2018, when SolarWinds conducted its [initial public offering] continuing through at least December 2020, SolarWinds and/or Brown made materially false and misleading statements and omissions related to SolarWinds securities risks and practices in at least three types of public disclosures,” the SEC complaint says.

In a briefing with reporters, the SEC said the complaint is not “Monday morning quarterbacking.” It said the company would have violated federal securities law even if the breach had not happened.

According to the SEC, Brown and others had received ample warning of vulnerabilities at SolarWinds but did not disclose those problems publicly. In one internal warning in September 2020, SolarWinds executives were told “the volume of security issues being identified over the last month have outstripped the capacity of engineering teams to resolve.” In another, in November of that year, a senior manager noted that, “We’re so far from being a security-minded company.” The warnings date back as far as 2018, according to the SEC.

The SEC said that SolarWinds also failed to disclose in December 2020 that attackers already had successfully exploited vulnerabilities against SolarWinds customers multiple times over the prior six months.

Because the SEC sent notices this summer to the company about a potential enforcement action, SolarWinds had already vowed to fight it.

“We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision,” SolarWinds CEO Sudhakar Ramakrishna wrote in an internal email in June. “And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves.”

correction

An earlier version of this story incorrectly reported that SolarWinds was headquartered in Tulsa. It’s headquartered in Austin. It was founded in Tulsa. This version has been corrected.

Related posts

YouTube lays off 43 unionized Google contractors as they appealed to city council

newsconquest

Samsung Frame TV Black Friday Deals Save You as Much as $1,000

newsconquest

Netflix: The 50 Absolute Best TV Shows to Watch

newsconquest