SEC charges SolarWinds and Chief information security officer with fraud, internal control failures

Posted on

The Securities and Exchange Commission has charged charges against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed ā€œSUNBURST,ā€ SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.Ā In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWindsā€™ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time. Here is a copy of the Complaint; https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf

As the complaint alleges, SolarWindsā€™ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWindsā€™ remote access set-up was ā€œnot very secureā€ and that someone exploiting the vulnerability ā€œcan basically do whatever without us detecting it until itā€™s too late,ā€ which could lead to ā€œmajor reputation and financial lossā€ for SolarWinds. Similarly, as alleged in the SECā€™s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the ā€œcurrent state of security leaves us in a very vulnerable state for our critical assetsā€ and that ā€œ[a]ccess and privilege to critical systems/data is inappropriate.ā€

In addition, the SECā€™s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the companyā€™s ability to protect its critical assets from cyberattacks. For example, according to the SECā€™s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was ā€œvery concerningā€ that the attacker may have been looking to use SolarWindsā€™ Orion software in larger attacks because ā€œour backends are not that resilient;ā€ and a September 2020 internal document shared with Brown and others stated, ā€œthe volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.ā€

The SECā€™s complaint alleges that Brown was aware of SolarWindsā€™ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.

SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.

ā€œWe allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWindsā€™ cyber risks, which were well known throughout the company and led one of Brownā€™s subordinates to conclude: ā€˜Weā€™re so far from being a security minded company,ā€™ā€ said Gurbir S. Grewal, Director of the SECā€™s Division of Enforcement. ā€œRather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the companyā€™s cyber controls environment, thereby depriving investors of accurate material information. Todayā€™s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the companyā€™s ā€˜crown jewelā€™ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.ā€

The SECā€™s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the companyā€™s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

The SECā€™s investigation was conducted by W. Bradley Ney, Lory Stone, and Benjamin Brutlag, with assistance from the Trial Unitā€™s Christopher Bruckmann and Kristen Warden, and was supervised by Carolyn M. Welshhans and Melissa R. Hodgman. The SECā€™s litigation will be led by Mr. Bruckmann and Ms. Warden under the supervision of Melissa Armstrong.

JEFFREY NEWMAN AND HIS FIRM REPRESENT WHISTLEBLOWERS UNDER THE SEC AND CFTC WHISTLEBLOWER PROGRAMS AND ALSO HEATLHCARE FRAUD CASES UNDER THE FALSE CLAIMS ACT. HIS FIRM SITE IS WWW.JEFFNEWMANLAW.COM AND HE CAN BE REACHED AT JEFF@JEFFNEWMANLAW.COM OR 617-823-3217