The U.S. Securities and Exchange Commission (SEC) initiated legal proceedings against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, on Monday. The SEC's complaint alleges that the company ignored multiple alerts about cybersecurity threats and misrepresented its cybersecurity controls, violating its Rules on Cybersecurity Risk Management.
This legal action was prompted by a major cyberattack suspected to be instigated by the SVR, Russia's foreign intelligence agency. The attack was launched via an update to Orion, SolarWinds' network management software, compromising approximately 18,000 clients. Among those affected were high-profile corporations and key U.S. government departments such as the Treasury, Justice, Energy departments, and the Pentagon.
The SEC's complaint highlights discrepancies between SolarWinds' public declarations concerning its cybersecurity protocols and internal discussions about breaches of the company's cybersecurity policy and identified vulnerabilities.
In response to the SEC's allegations, SolarWinds expressed disappointment, characterizing the accusations as baseless and an instance of agency overreach. The company emphasized its continued commitment to cybersecurity, as evidenced by its Secure by Design initiatives.
This SEC action underscores the regulator's determination to enforce its guidelines and rectify cybersecurity faults in public companies. It also exposes the security shortcomings in public firms, as revealed through SolarWinds' internal communications.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.