SolarWinds: SEC Aims To ‘Revictimize The Victim’ With Charges

SolarWinds this month responded to the U.S. Securities and Exchange Commission’s October 2023 allegations that the company defrauded investors in concealing poor cybersecurity practices and heightened cybersecurity risk prior to the 2020 Sunburst attack by saying the company indeed warned of the possibility of such issues and that providing the level of detail sought by the SEC would confuse investors and provide attacker with information they could exploit.

Observability and IT management platform developer SolarWinds last week filed to ask a federal court to dismiss the U.S. Securities and Exchange Commission complaint against it and its chief information security officer related to the late 2020 SolarWinds Orion cyberattack, a.k.a. Sunburst.

SolarWinds’ filing in the U.S. District Court Southern District of New York for a motion to dismiss the complaint, and a memorandum in support of that motion last Friday came in response to the SEC’s October 30, 2023 filing of allegations that SolarWinds and its CISO Timothy Brown, who at the time was vice president of security and architecture for the company, concealed poor security practices and increasing cybersecurity risks that led to the SolarWinds Orion cyberattack.

That became one of the most significant cyberattacks in history, resulting in nearly 18,000 of its customers receiving a compromised software update, including the U.S. government. However, the company now says fewer than 100 customers were actually hacked through Sunburst.

Following the SEC’s June 2023 filing of Wells notices against SolarWinds and its then-chief financial officer and chief information security officer, which gave the company and its officials notice that they were subject to an enforcement action, the SEC in October filed a complaint with the U.S. District Court Southern District of New York alleging that SolarWinds and Brown “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks.”

The SEC also alleged that SolarWinds during its October 2018 IPO provided only generic and hypothetical cybersecurity risk disclosures even as Brown in an internal presentation said the company was in a “vulnerable state” for critical assets because of the current state of security.

“The true state of SolarWinds’ cybersecurity practices, controls, and risks ultimately came to light only following a massive cyberattack—which exploited some of SolarWinds’ poor cybersecurity practices—and which impacted thousands of SolarWinds’ customers. That attack, termed SUNBURST, compromised SolarWinds’ Orion software platform, a flagship product that the Company considered to be a ‘crown jewel’ asset and which accounted for 45% of its revenue in 2020,” the SEC alleged.

SolarWinds, in its Friday response to the allegations, wrote that after it learned about the Sunburst attack, in December 2020 it promptly and transparently disclosed the attack and offered investor updates as any public company should do.

“Nonetheless, more than three years later, the SEC seeks to revictimize the victim, by bringing securities fraud and controls charges against the Company and its Chief Information Security Officer (CISO), Tim Brown. The charges are as unfounded as they are unprecedented. The SEC is trying to unfairly move the goalposts for what companies must disclose about their cybersecurity programs and, with the controls charges, claim a mandate for regulating those programs that the agency does not have,” the company wrote.

“The case is fundamentally flawed and should be dismissed in its entirety,” the company said in its filing.

CRN has reached out to the SEC for comment.

SolarWinds also argued that its risk factors for investors specifically warned that its systems are vulnerable to sophisticated nation-state actors, and that it was not obligated to provide specific vulnerability information in SEC filings.

“Disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers,” the company wrote.

SolarWinds, in its January 26 response to the SEC allegations, wrote that, on December 14, 2020, the day after SolarWinds learned of the Sunburst attack, the company filed in an SEC 8-K filing a detailed disclosure which included, among other things, the fact that up to 18,000 customers had downloaded infected versions of Orion, and that Orion accounted for almost half of SolarWinds revenue.

In that 8-K, the company wrote that SolarWinds “has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. SolarWinds has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state, but SolarWinds has not independently verified the identity of the attacker.”