SEC charges against SolarWinds CISO send shockwaves through security ranks

The Security and Exchange Commission (SEC) has charged SolarWinds Corp., along with its CISO Tim Brown, with fraud and internal control failures related to the 2020 supply chain cyberattack on the company’s Orion Platform; ultimately leading to the compromise of US government departments by Russian intelligence.

The charges are already sending shockwaves throughout the CISO community.

At issue, according to the SEC, is the discrepancy between what Brown and other SolarWinds employees were saying internally versus what they disclosed to investors.

Internal messages revealed employees were well aware they were misleading customers in the wake of the discovery of the Orion vulnerability, the SEC explained in its complaint.

“Well, I Just Lied”

“Shortly after the October 2020 attack against Cybersecurity Firm B, SolarWinds employees including Brown recognized similarities between the attack on U.S. Government Agency A,” the SEC Complaint said. “But when personnel at Cybersecurity Firm B asked SolarWinds employees if they had previously seen similar activity, InfoSec Employee F falsely told Cybersecurity Firm B that they had not. He then messaged a colleague ‘Well, I just lied.'”

But the failure to put appropriate cybersecurity controls in place at SolarWinds started as far back as 2018, according to the regulator. The SEC alleges Brown was aware of, but ignored, warnings about the company’s vulnerabilities, including a 2018 presentation by a SolarWinds engineer that flagged the the company’s remote access setup as “not very secure,” and explained a threat actor could use it to “basically do whatever without us detecting it until it’s too late,” the filing said.

By ignoring these warnings about the cybersecurity posture of the company and failing to raise the issue up the chain of command, the SEC alleges Brown willfully left the company systems unprotected.

Brown Accused of Selling Inflated SolarWinds Stocks

SolarWinds filed an incomplete 8-K disclosure with the SEC in December 2020 and Brown personally profited from the inflated stock price, according to the charges.

“SolarWinds stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint,” the SEC said.

To read the complete article, visit Dark Reading.