According to the Securities and Exchange Commission (SEC), SolarWinds allegedly misled its investors regarding its own cybersecurity practices. Furthermore, as per complaints, the company also failed to disclose other known risks.
As a result, the SEC charged SolarWinds and its CISO, Timothy Brown, with fraud and alleged both parties misleading investors about the company’s cybersecurity practices. There were also alleged internal control failures which the company did not inform. All these practices led up to the Sunburst attack, which was discovered in December 2020.
SolarWinds stated –
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk.”
The SEC stated that SolarWinds actually overstated its cybersecurity practices and failed to disclose various known risks. These risks were present from October 2018 to the Sunburst attack in 2020.
Furthermore, according to the SEC, various public statements from SolarWinds were contradictory. In addition to that, the company engineer also made an assessment in 2018 and shared it with Brown and others. As per the assessment, the company’s remote access setup was “not very secure.”
The company also said,
“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country.”
Also, the number of security issues was more than the capacity of the engineering team, as per a September 2020 document. Moreover, SolarWinds also carried out an incomplete disclosure on Form 8-K in a December 14, 2020 filing. Over the next two days, the company’s stock also dropped 25%.