SEC Charges SolarWinds and CISO With Fraud Related to 2020 Cyberattack

We Keep you Connected

SEC Charges SolarWinds and CISO With Fraud Related to 2020 Cyberattack

SEC Charges SolarWinds and CISO With Fraud Related to 2020 Cyberattack
Your email has been sent
SolarWinds CISO Timothy G. Brown is specifically named for allegedly failing to inform investors or act on known security vulnerabilities.
The Securities and Exchange Commission brought charges against both Austin, TX-based information security software company SolarWinds and its CISO Timothy G. Brown on October 30. The SEC alleges Brown committed fraud and failed to address known internal security issues, eventually leading to the massive Sunburst cybersecurity attack against the U.S. federal government in December 2020.
For CISOs, this case may be a wakeup call if they work with government agencies or infrastructure clients.
Jump to:
The SEC alleges that between SolarWinds’ October 2018 initial public offering and the December 2020 announcement of the large-scale cyberattack, SolarWinds and Brown specifically ” … defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
SolarWinds personnel, including Brown, made internal assessments that were at odds with the company’s promises to its customers, the SEC said. A presentation in 2018 made by a company engineer found SolarWinds’ remote access setup to be “not very secure,” which could lead to exploitation in which an attacker “can basically do whatever without us detecting it until it’s too late,” the SEC found.
“The volume of security issues being identified over the last month have (sic) outstripped the capacity of Engineering teams to resolve,” a September 2020 internal document presented to Brown stated, according to the SEC.
Those issues included basic security best practices such as not using default passwords.
On some products, default passwords such as “password” remained in place. The password “solarwinds123” was also in use, the SEC filing said.
SEE: Australian CISOs and CIOs face an uphill battle to engage CEOs in tech topics, a study found. (TechRepublic)
The SEC alleges that SolarWinds didn’t disclose the full extent of the Sunburst cybersecurity incident on Dec. 14, 2020. SolarWinds had filed a Form 8-K on that date; that is the form the SEC requires organizations to fill out in order to formally notify investors in the event of a significant event. After SolarWinds filed the Form 8-K on December 14, SolarWinds’ stock dropped 25% in two days and 35% by the end of December.
In the January 2019 to December 2020 attack known as Sunburst, attackers suspected of having Russian state backing used SolarWinds’ Orion software, as well as exploits in Microsoft and VMware products, to breach U.S. government agencies’ systems. The state actors injected code into Orion and used that as a backdoor into government agencies; nearly 18,000 SolarWinds customers were affected. The attackers then used the backdoor ” … for the primary purpose of espionage,” according to the U.S. Government Accountability Office.
The SEC alleges that Brown failed to solve SolarWinds’ cybersecurity weaknesses or to impress the importance of those weaknesses upon the rest of the executive team. “As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected” despite SolarWinds continuing to reassure its customers that their data was safe, the SEC said.
SolarWinds denies the SEC’s claims. “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” SolarWinds said in a public statement emailed to TechRepublic. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
“Whether or not they realize it, CISOs now have a different personal and professional risk landscape to navigate,” said Paul Caron, head of cybersecurity in the Americas at S-RM, a corporate intelligence and cybersecurity consultancy, in an email to TechRepublic. “CISOs are under significant pressure to align with the business view that spend and control maturity are in line with those of their peers … The conditions are set to have every CISO in the field pause and realize that they too can be finally held liable for misleading statements on the security of the programs they manage.”
Caron noted that CISOs should be aware of the SEC’s rule announced in July 2023 establishing that companies should disclose any material cybersecurity incident within four days of determining the incident is material.
“With the new SEC disclosure rules and this fraud charge, there will inherently be greater scrutiny on cybersecurity reporting across the board,” Caron said.
“The SolarWinds case is a potent reminder of the critical intersection between security and compliance,” said Igor Volovich, vice president of compliance strategy at compliance company Qmulos, in an email to TechRepublic. “Security is what you do to protect your organization’s assets, data, and reputation, while compliance is how you prove you’re doing it. However, when there’s a delta between your actual control posture and what you report, the stage is set for a narrative no executive wants to be part of.”
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
SEC Charges SolarWinds and CISO With Fraud Related to 2020 Cyberattack
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
The modern enterprise generates more raw data than ever before, but it takes someone with special skills to turn that data stream into information that decision-makers can actually use. The extraction of useful business intelligence requires insight into all aspects of an enterprise’s business operations, technical knowledge of what, where and how data is generated …
It’s common practice for companies to use offshore employees or contractors in order to offload work to specialized individuals or reduce costs associated with certain tasks and responsibilities. This can free up staff to focus on more complex and valuable initiatives, and also ensure 24×7 operations for companies which rely upon on-call staff and subject-matter …
As the global population grows, so does the demand for a wider array of products and services. However, this surge in demand often leads to production processes that generate increased waste, posing a significant threat to our environment. Fortunately, cleantech, short for clean technology, offers a compelling solution to this impending crisis. Cleantech encompasses environmentally …
There are millions of mobile applications available for download at present and this figure is only going to climb higher. Just as business and consumer needs continue to expand, so do the capabilities and advantages mobile devices provide their users. The purpose of this policy from TechRepublic Premium is to provide guidelines for developing mobile …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE