Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
SolarWinds, the IT company breached by Russian hackers as part of a sprawling espionage campaign in 2020, has been sued by the US Securities and Exchange Commission.
The SEC on Monday filed a complaint accusing the company and chief information security officer Tim Brown of misleading investors by not disclosing “known risks” and not accurately representing its cyber security measures.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement.
The alleged wrongdoing occurred from at least the company’s initial public offering in October 2018 to December 2020, when one of the biggest cyber attacks in recent history put a spotlight on what until then had been a little-known Austin-based supply chain company. Hackers backed by Russian intelligence exploited a SolarWinds software product in order to spy on businesses and government organisations globally, including the US commerce and Treasury departments.
A SolarWinds spokesperson said the company was “disappointed by the SEC’s unfounded charges”. Lawyers representing Brown said he had “performed his responsibilities at SolarWinds . . . with diligence, integrity, and distinction” and said they looked forward to “defending his reputation”.
The SEC’s action is the first time it has attempted to hold a chief information security officer personally liable for cyber security failures. Gary Gensler, SEC chair, has turned his focus to cyber risks, including proposing rules to broaden companies’ disclosures.
According to the complaint, Brown wrote in an internal presentation in 2018 that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets”. The deal’s IPO registration documents, however, had only mentioned “generic and hypothetical cyber security risk disclosures”, the SEC said.
A SolarWinds engineer told Brown in 2020 that he was “spooked” by activity at one of their customers, to which the executive replied saying the matter was “very concerning”, according to the complaint. “As you guys know our backends are not that resilient and we should definitely make them better,” he added, according to the complaint.
The complaint also quoted internal communications warning in 2020 that “[t]he volume of security issues being identified over the last month have outstripped the capacity of engineering teams to resolve”.
The SEC alleged that these shortcomings were exploited in what it called “one of the worst cyber security incidents in history”, which unfolded between January 2019 and December 2020, according to the complaint.
A SolarWinds manager in November 2020 wrote in an instant message: “[E]very time I hear about our head geeks talking about security I want to throw up.”
