SolarWinds Faces SEC Lawsuit Alleging Fraud and Misleading on Cybersecurity

SolarWinds, the information technology firm that was at the center of a major Russian-backed cyber-espionage incident in 2019, is now facing a lawsuit from the U.S. Securities and Exchange Commission (SEC). The lawsuit alleges that SolarWinds committed fraud and failed to maintain adequate internal controls for several years prior to the hack. SolarWinds’ Chief Information Security Officer, Tim Brown, is also named in the lawsuit.

The SEC’s complaint asserts that SolarWinds made generic disclosures about cybersecurity risks in its prospectus and continued filings when it went public in 2018. However, the SEC alleges that the company was aware of its weak cybersecurity practices, pointing to an internal presentation from Brown that took place the same month SolarWinds went public. The complaint cites numerous internal emails and messages discussing false statements made by the company and the vulnerabilities in its products.

The 2019 attack on SolarWinds was severe as it affected multiple government agencies relying on the company’s Orion software. The SEC alleges that known vulnerabilities within the company’s products were not disclosed in regulatory filings, and some of these vulnerabilities directly contributed to the Russian-backed hack.

The complaint also accuses SolarWinds of misleading investors about its compliance with cybersecurity frameworks, falsely claiming strong password policies and access controls, and making false public statements about the company’s focus on cybersecurity best practices.

SolarWinds has responded by saying it believes the SEC is pursuing a misguided and improper enforcement action against the company. The company intends to contest the charges in court. SolarWinds maintains that it has consistently improved its cybersecurity posture and supported Tim Brown, who will continue to serve as Chief Information Security Officer.

This lawsuit comes as major corporations prepare for a new cyber disclosure rule that requires companies to report cybersecurity incidents within a few days of discovery. Regulatory scrutiny of cyber incidents is increasing, particularly in the wake of significant breaches impacting various corporations.

- Advertisment -ad

Most Popular