SolarWinds and its long-time CISO Timothy Brown are set to face US SEC charges, alleging that critical vulnerabilities that led to the infamous SUNBURST attack were known but sat on.
SUNBURST was a trojanised version of the Orion network management plug-in that was used to compromise some 18,000 customers for close to nine months by breaching a SolarWinds update server and dropping malicious software on it.
The Securities and Exchange Commission (SEC) alleged today that, for years, SolarWinds had overstat[ed] its cyber security practices and understat[ed] or fail[ed] to disclose known risks.”
The company’s regulatory filings disclosed “only generic and hypothetical risks”, during a time US SEC alleges “specific deficiencies in SolarWinds’ cyber security practices” existed.
The SEC’s complaint alleges the existence of multiple internal presentations that cast doubt over the security of “SolarWinds’ remote access set-up” and of protections around “[a]ccess and privilege to critical systems/data”.
The SEC also alleged that questions were repeatedly raised over the company’s cyber security posture, and that Brown, in particular, was aware of vulnerabilities but “failed to resolve the issues or, at times, sufficiently raise them further within the company.”
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” SEC enforcement division director Gurbir S. Grewal said in a statement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.
“Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC is seeking “permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.”