SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown, are facing charges brought by the Securities and Exchange Commission (SEC) for allegedly concealing specific cybersecurity vulnerabilities from investors. These allegations, made on Tuesday, pertain to the period between October 2018 and December 2020. The SEC argues that the company and Brown only disclosed these risks when the Russian Foreign Intelligence Service breached their Orion network monitoring product.
The SEC seeks to ban Brown from holding executive roles in publicly-traded companies, enforce penalties, and recover fraudulent gains. The regulatory body had recommended enforcement against SolarWinds, Brown, and CFO Bart Kalsu earlier this year. CEO Sudhakar Ramakrishna and legal representative King & Spalding have denied these allegations while acknowledging issues with their remote access setup and the Orion Platform.
Gurbir Grewal, SEC Enforcement Division Director, has urged companies to improve their controls in response to the charges against SolarWinds and Brown.
The charges filed by the SEC in the Southern District of New York allege violations of antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 by both SolarWinds and Brown. SolarWinds is also accused of violating reporting and internal controls provisions of the Exchange Act.
According to the SEC, despite Brown's knowledge of specific deficiencies in their cybersecurity practices, SolarWinds disclosed only general risks in its filings during this period. This is despite an internal presentation in 2018 where SolarWinds admitted that its remote access setup was insecure and could lead to major reputation and financial damage. In June 2020, Brown expressed concern over a cyberattack on a SolarWinds customer potentially using their Orion software for larger attacks. Despite being aware of these vulnerabilities, he did not adequately address them within the company.
Brown, who was named CISO of the year by the Globee Cybersecurity Awards, is accused of ignoring significant warnings about the company's cyber risks. The SEC’s enforcement division director, Gurbir Grewal, stated that both SolarWinds and Brown ignored these warnings.
The SEC seeks remedies including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.