SEC sues SolarWinds for allegedly fraudulent cybersecurity statements

The Securities and Exchange Commission filed a civil suit against SolarWinds and its chief information security officer on Monday, alleging fraudulent statements that misled investors about the company's cybersecurity posture.

The lawsuit, announced Monday, alleges that SolarWinds and CISO Timothy G. Brown defrauded investors over a nearly two-year period by failing to disclose cybersecurity weaknesses between the company's initial public offering in October 2018 and December 2020, when the company announced it had been targeted in a massive cyberattack dubbed SUNBURST linked to Russian threat actors.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company," said Gurbir S. Grewal, director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information."

In a post on SolarWinds' blog, CEO Sudakar Ramakrishna said the company "will vigorously oppose this action by the SEC."

Ramakrisha, who joined SolarWinds just days after the news of the hack was disclosed, said that the company's response to the break was "exactly what the U.S. government seeks to encourage," in terms of transparency and cooperation.

"So, it is alarming that the Securities and Exchange Commission has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages," Ramakrishna said.

The SolarWinds hack sent shockwaves throughout the federal government because the company's IT management software is so widely used throughout the federal enterprise. The Cybersecurity and Infrastructure Security Agency ordered civilian agencies to turn off all instances of the SolarWinds Orion platform in December 2020 when the hack was first disclosed. 

According to the lawsuit, the state of SolarWinds internal controls and its history of allegedly false and misleading statements about its security posture "would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack."

The SolarWinds breach led to the formation of the Cyber Safety Review Board, a public-private group housed at CISA that reviews high-profile cybersecurity incidents. According to Ramakrishna, the SEC's lawsuit runs counter to the spirit of collaboration that emerged in the wake of the hack.

"The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security," Ramakrishna said.