Heads up, compliance and internal audit professionals! The Securities and Exchange Commission just filed a potentially profound lawsuit against the tech company SolarWinds and its CISO for misleading investors about the state of that company’s cybersecurity defenses — defenses that were proven toothless during a cybersecurity breach in 2020.
The lawsuit, filed Monday against SolarWinds and its CISO Timothy Brown, alleges that they defrauded investors by overstating SolarWinds’ cybersecurity practices in the late 2010s and failing to disclose known risks and cybersecurity shortcomings.
“We allege that for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,’” SEC enforcement chief Gurbir Grewal said in a statement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
We should be clear that the SEC’s complaint is only a lawsuit, not a settled enforcement action. SolarWinds called the lawsuit a “misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages … We will vigorously oppose this action by the SEC.” Brown issued no response personally.
The essence of this case is whether SolarWinds was making bland, boilerplate disclosures about risk to investors, while internally its executives knew those disclosures were misleading — and if so, what liability should CISO Brown face for participating in that deception?
That’s why this case is so important. It opens the door to other risk assurance executives — like, say, compliance officers — facing liability for disclosures about other types of risk that later turn out to be erroneous.
The lawsuit is also important because it arrives on the heels of the SEC’s decision earlier this year to require expanded new disclosures about cybersecurity risk and attacks. So we’re going to take a deep dive into this case over several posts. First up: the allegations themselves.
SolarWinds: The Background
SolarWinds sells software to other companies to help them manage their IT infrastructure. One of its flagship products was known as Orion. In the late 2010s, SolarWinds sold Orion to thousands of corporations, government agencies, colleges, and other large organizations. By 2020 Orion accounted for 45 percent of SolarWinds revenue, which was $572.7 million that year.
That same year, SolarWinds fell victim to what some have described as the most sophisticated cyber attack ever launched, known as Sunburst.
All evidence suggests that Russia was behind the Sunburst attack. Its minions, working through various hacking groups, began targeting SolarWinds sometime in 2019. They exploited a vulnerability in SolarWinds’ virtual private network and, through an unmanaged device connected to the VPN, gained access to SolarWinds IT systems.
From there, the hackers carefully planted malicious code into that Orion software. In spring 2020, SolarWinds sent out a regular software update to its Orion customers, including that malicious code. As customers implemented the contaminated Orion update, they were also implementing spyware developed by the Russian hackers.
Some 18,000 customers downloaded the infected software update. Within that group, hundreds fell victim to the Russian spyware. They included companies such as Intel, Microsoft, and Cisco Systems, and government agencies including the Treasury, Justice, Defense, and Energy departments. Even CISA, the Cybersecurity and Infrastructure Security Agency — the U.S. government’s primary agency for tackling cybersecurity risk — was a victim.
The attack finally came to light in December 2020 when FireEye, a cybersecurity firm, discovered that it had been the victim of a “nation-state attack.” FireEye soon traced the attack back to the infected patch from SolarWinds, and that’s when people began to grasp the severity and extent of what had happened.
Brown was vice president of security and architecture the entire time. He was promoted to CISO in early 2021, where he remains to this day.
The Disclosures and Discrepancies
So while that cyber attack was unfolding in 2019 and 2020, what was SolarWinds telling investors about the state of its cybersecurity, and what were SolarWinds employees (including Brown) telling each other? That’s a huge part of this case.
The SEC complaint paints an unflattering picture. For example, from 2018 onward SolarWinds publicly posted a “Security Statement” that discussed the company’s security practices. One claim from that statement: that SolarWinds created its software products in a “secure development lifecycle [that] follows standard security practices.”
Except, on the inside, employees were saying anything but that. In 2018, one engineering manager sent an email to senior managers warning, “I’ve gotten feedback that we don’t do some of the things that are indicated” in the Security Statement’s section on secure software development. “I want to make sure that you all have an answer to this … We will be working with teams throughout 2018 to begin incorporating [secure development] into their development lifecycle.”
More examples: In November 2020 (when the Sunburst attack was already widespread, but nobody had discovered that yet), one senior security manager declared in an instant message, “We’re so far from being a security-minded company. Every time I hear about our head geeks talking about security I want to throw up.” Another engineer sent a message that same month to the manager saying, “The products are riddled and obviously have been for many years.”
A more mundane example comes from the world of password policies. The company’s Security Statement declared that SolarWinds took passwords seriously, where all authorized users had unique account IDs (that is, no shared accounts or passwords), and “Our password best practices enforce the use of complex passwords” that had to be updated every 90 days.
Internal communications, however, showed that employees found important passwords shared on the cloud, including one password set as “solarwinds123.” (Not even upper-case letters? Yeesh.) A March 2020 email and a quarterly risk presentation, drafted with input from Brown and shared with SolarWinds’ senior executives, described a SOX compliance audit that flagged situations where “password requirements were not met.”
We could go on from there, but the gist of things is clear. SolarWinds was publishing generic, standard-issue statements to investors about its security posture. Inside, employees under Brown’s domain were escalating concerns that contradicted those statements.
So what duty did the company have to act upon those concerns? What duty did the company have to update its public disclosures to reflect those concerns? And to what extent should Second Line of Defense executives such as Brown face accountability for any failure in those duties?
Those are the questions that arise from this lawsuit, staring compliance officers and internal auditors right in the face. If the SEC succeeds in this case — a big if, which we’ll explore in due course — that could have profound implications for personal liability you might face on the job and career-security moves you’ll need to take in response.
That’s enough for our first post. Next: a look at previous SEC enforcement actions over shoddy disclosure controls that brought us to this point.