SEC Alleges SolarWinds, CISO Tim Brown Defrauded InvestorsSEC Seeks to Ban Brown From Serving as Officer, Director of Publicly Traded Company
Federal regulators charged SolarWinds and CISO Tim Brown with fraud and internal control failures for allegedly misleading investors about the company's cybersecurity practices and risks.
The Securities and Exchange Commission said the Austin, Texas-based vendor and its top security official disclosed only generic and hypothetical risks even though they knew about specific issues in SolarWinds' cybersecurity practices. The alleged misconduct took place from the time of the company's October 2018 IPO until its December 2020 announcement that its Orion network monitoring product had been compromised.
Hackers from the Russian Foreign Intelligence Service penetrated the company's updates for Orion, allowing them to spy on high-value customers, including nine federal agencies.
"Misstatements, omissions, and schemes concealed both the company's poor cybersecurity practices and its heightened - and increasing - cybersecurity risks," the SEC charged in a complaint filed in the Southern District of New York.
"SolarWinds' public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the company's cybersecurity policy violations, vulnerabilities, and cyberattacks," the complaint says.
Federal regulators seek to permanently ban Brown from serving as an officer or director of a publicly traded company and to impose civil monetary penalties and the return of any ill-gotten gains. SEC staff in June recommended enforcement action against SolarWinds; Brown, 59' and CFO Bart Kalsu, 55, for allegedly violating federal securities laws. Kalsu wasn't named in the official SEC complaint filed Monday (see: SEC Alleges SolarWinds CFO, CISO Violated US Securities Laws).
SolarWinds' stock is down just $0.01 - or 0.1% - to $9.30 per share in after-hours trading Monday. The first signs of regulatory trouble for SolarWinds emerged in October 2022, when the SEC said SolarWinds had violated federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures (see: SolarWinds May Face SEC Investigation Over Hack Disclosure).
The SEC since 2011 has interpreted securities law as obligating companies to report risks and incidents, guidance it strengthened in 2018. Critics say the disclosures are typically cookie-cutter statements that reveal little about actual challenges in cyberspace.
SolarWinds, Brown Forcefully Deny Allegations
SolarWinds CEO Sudhakar Ramakrishna wrote in a blog Monday that the company had maintained adequate cybersecurity controls prior to discovering the high-profile Russian software supply chain attack and will vigorously oppose this action by the SEC. Ramakrishna was previously CEO of Pulse Secure and became SolarWinds' CEO in a preplanned transition just days after the company learned of the massive attack.
"The SEC's charges now risk the open information sharing across the industry that cybersecurity experts agree is needed for our collective security. They also risk disenfranchising earnest cybersecurity professionals across the country," Ramakrishna asserted. "I worry these actions will stunt the growth of public-private partnerships and broader information sharing, making us all even more vulnerable."
A company spokesperson echoed similar themes, telling Information Security Media Group: "The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency's overreach and should alarm all public companies and committed cybersecurity professionals across the country."
Brown is being represented by King & Spalding. Attorney Alec Koch told ISMG that Brown had performed his responsibilities, "with diligence, integrity, and distinction."
Brown has been responsible for SolarWinds' internal IT security, product security and security strategy since joining the company in July 2017 and was promoted to CISO in January 2021. Prior to that, he spent five years as chief product officer at vulnerability risk management provider NopSec and four years as Dell's executive director for security, where he viewed the portfolio from a holistic standpoint.
Red Flags Amassed But Were Never Disclosed, SEC Says
The SEC said SolarWinds' security problems date back to at least June 2018, when a network engineer warned in a presentation shared with Brown that the company's remote access setup was "not very secure," meaning that someone exploiting this vulnerability "can basically do whatever without us detecting until it's too late," which could lead to a "major reputation and financial loss" for SolarWinds.
In October 2018, the same month SolarWinds filed a registration statement containing only generic and hypothetical cybersecurity risk disclosures, Brown wrote in an internal presentation that SolarWinds' "current state of security leaves us in a very vulnerable state for our critical assets." In August 2019, Brown wrote in a presentation that "access and privilege to critical systems/data is inappropriate."
In a July 2020 email to Brown, a member of the company's engineering team described being "spooked" by activity at a SolarWinds customer, according to the SEC. Brown agreed that the incident had been "very concerning" and told his subordinates, "As you guys know, our back-ends are not that resilient, and we should definitely make them better."
Two months later, a manager from SolarWinds' engineering team submitted a risk acceptance form to Brown and others that flagged "the risk of legacy issues in the Orion Platform" and warned "the volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve."
A SolarWinds senior information security manager in October 2020 expressed his disgust with the company's cybersecurity posture, writing in an instant message, "We're so far from being a security minded company. Every time I hear our head geeks talking about security I want to throw up."
"Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information," said SEC Enforcement Division Director Gurbir Grewal. He urged companies to "implement strong controls calibrated to your risk environments and level with investors about known concerns."