The US Securities and Exchange Commission (SEC) has announced charges against software company SolarWinds (run by Indian-origin CEO Sudhakar Ramakrishna) and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The complaint alleged that from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed ‘SUNBURST’, SolarWinds and Brown defrauded investors by overstating the company’s cybersecurity practices and understating or failing to disclose known risks.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,” said Gurbir S. Grewal, Director of SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” he said in a statement.
In a blog post, SolarWinds CEO Ramakrishna accused the SEC of launching a “misguided and improper enforcement action” against the company and that it will “vigorously oppose this action”.
“How we responded to SUNBURST is exactly what the US government seeks to encourage. It is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” Ramakrishna added.
“The actions we have taken over the last two and half years motivate us to stay the course and to push back against any efforts that will make our customers and our industry less secure,” he added.
The SEC complaint said that SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
In addition, the SEC’s complaint alleged that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks.
The complaint alleged that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.
As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected, said the SEC complaint.
Alec Koch, an attorney for Brown, said that he looks forward to defending Brown’s reputation and “correcting the inaccuracies in the SEC’s complaint,” reports TechCrunch.