On October 30, 2023, the SEC announced charges against software company SolarWinds Corporation and its chief information security officer (“CISO”), Timothy Brown, for allegedly making material misstatements regarding its cybersecurity practices, the description of breach, for not having reasonable internal controls to safeguard the company’s crown jewel assets, and for not having reasonable disclosure controls.1 The SEC investigation began following SolarWinds’ widely reported 2020 breach, which was felt throughout the US economy. This case emphasizes the need for companies to ensure that those approving public disclosures have the necessary, accurate and complete information about cybersecurity risks and incidents and individuals who have the relevant information may be liable for failing to escalate cybersecurity incidents and vulnerabilities to those responsible for the public disclosures.
SolarWinds designs and sells network monitoring software. One of its network managements platforms, Orion, accounted for approximately 45 percent of SolarWinds’ revenue. Between 2019 and 2020, SolarWinds experienced a two-year long cybersecurity incident where the threat actor inserted malicious code into the Orion products, which were then sold to more than 18,000 customers globally. The SEC’s Complaint alleges that between 2018 and 2021, the Company and the CISO misled investors about the strength of its cybersecurity protocols, which were allegedly not reasonably designed to protect its critical assets, including Orion. Furthermore, the SEC alleges that the Company and the CISO misled investors about the incident and its impact.
According to the SEC, between October 2018 and January 2021, SolarWinds and the CISO made allegedly false public statements touting strong and secure cybersecurity practices in line with internationally recognized standards. These statements were allegedly starkly different from the known vulnerabilities to cybersecurity incidents. The SEC alleges that the false statements fell into four categories: (1) compliance with the National Institute of Standards and Technology Cybersecurity Framework (“NIST Framework”) for evaluating cybersecurity practices; (2) using a secure development lifecycle (“SDL”) when creating software for customers; (3) having strong password protection; and (4) maintaining good access controls.
Read the rest of the story from Norton Rose Fulbright here.