The US financial regulator, SEC, has charged software specialist SolarWinds and its CISO with fraud against shareholders. This is for concealing the company’s poor cybersecurity leading up to the SUNBURST supply-chain attack in December 2020.
The SEC recently charged SolarWinds and its CISO Timothy G. Brown with fraud against the software company’s shareholders, writes The Register. The charges were filed with a New York state judge.
According to the regulator, the fraud resulted from poor implementation of cybersecurity and “overestimating” the security measures applied and/or “under-recognizing” and failing to disclose risks known at the time.
In short, the company and its CISO ensured that security measures were not in place at the time of the supply-chain attack. Furthermore, they failed to inform shareholders of this adequately.
False representations
According to the SEC investors were misrepresented about the company’s cyber security from the IPO in late 2018 until December 2020. This by bringing out only generic and hypothetical risks at a time when both knew there were certain deficiencies in the company’s cybersecurity measures, and SolarWinds was also facing very high risks at the same time.
Brown reportedly indicated in 2018 and 2019 that the company’s security status left much to be desired. Among other things, he indicated that the company’s critical assets were highly vulnerable to outside access.
The SEC particularly blames SolarWinds and Brown for the fact that there had been warnings about the company’s security dangers for years, but nothing was done about them.
Backdoor in Orion network monitoring tool
In December 2020, it was revealed that SolarWinds’ Orion network monitoring tool became misused through a backdoor. This allowed the hackers to spread malware to about 18,000 companies and organizations.
Victims included several U.S. government agencies and ministries, as well as tech companies Microsoft, Intel, Cisco and Nvidia, for example.
Read more: Microsoft Exchange Server hacked, what are the consequences?
SolarWinds response
SolarWinds settled with its shareholders in November 2022 but was unaware that the SEC would take further action. In a response to The Register, the company expressed disappointment in the regulator’s response.
The SEC is said to be in the process of “fabricating” a claim, going beyond its responsibilities. The latter should be a warning to all companies and cybersecurity professionals in the US, according to the company.