SolarWinds and Top Executive Accused of Fraud by the SEC

The SEC charged software maker SolarWinds Corp. and one of its senior officers with fraud, alleging the company failed to report serious cybersecurity issues to investors, according to a lawsuit filed in federal court in New York Monday.

Between October 2018 and January 2021, the company and Chief Information Officer Timothy Brown allegedly “defrauded” investors by covering up the “company’s poor cybersecurity practices and its heightened and increasing – cybersecurity risks,” according to the complaint.

SolarWinds shares closed down almost 2% on Monday.

While an internal presentation allegedly disclosed to company employees that the “current state of security leaves us in a very vulnerable state for our critical assets,” that information was not shared with investors, who were told of "only generic and hypothetical risks,"  the complaint said.

A company spokesperson pushed back against the charges. "We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk," a spokesperson for SolarWinds shared in a statement to The Messenger.

"The SEC’s determination to manufacture a claim against us and [our chief information security officer] is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country," the spokesperson added.

SolarWinds announced in December 2020 that it was the subject of a “massive” cybersecurity attack coined SUNBURST. By the end of that month, company stock had plummeted around 35%.

“SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks,” according to Gurbir S. Grewal, director of the SEC's Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.” 

Employees at the company, including Brown, allegedly were aware of the company’s “serious cybersecurity deficiencies” but did not report them in SEC filings, the complaint said, and cyberattacks were allegedly lumped in the same category as risk like “natural disasters” and “fire.”

In September 2020, though, the company internally reported that “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve,” the SEC alleged. 

In addition to measures such as ensuring that SolarWind does not participate in similar actions in the future, the SEC also seeks to bar Brown from being an officer or director. The SEC action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns,” Grewal added. 

A representative for Brown said the executive "has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint."