Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







SolarWinds and its CISO Face SEC Allegations

Executive Summary

In a surprising turn of events, the Securities and Exchange Commission (SEC) has filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, for alleged misconduct related to the company’s cybersecurity practices and disclosures. The charges stem from a cybersecurity breach and subsequent revelations that have sent shockwaves through the cybersecurity community.

This case has far-reaching implications, particularly in reshaping the role of Chief Information Security Officers (CISOs) within organisations.

About the Charges

The SEC’s charges against SolarWinds and its CISO, Timothy G. Brown, revolve around allegations that the company misled investors regarding its cybersecurity practices and known risks. The charges point to instances of fraud and internal control failures, specifically related to cybersecurity vulnerabilities that occurred between SolarWinds’ initial public offering (IPO) in October 2018 and the disclosure of a sophisticated cyberattack named “SUNBURST” in December 2020.

Evidence cited in the SEC’s complaint includes internal documents, presentations, and communications within SolarWinds that highlight the company’s awareness of specific cybersecurity deficiencies and escalating threats. These documents contrast with what the company had disclosed to the public, alleging that SolarWinds downplayed known risks and cybersecurity weaknesses. A key piece of evidence is a 2018 internal presentation indicating that SolarWinds’ remote access setup was “not very secure” and that it could lead to significant reputation and financial loss.

Response from SolarWinds

SolarWinds, based in Austin, Texas, has strongly opposed the SEC’s charges. The company maintains that it had appropriate cybersecurity controls in place prior to the SUNBURST incident.

Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, expressed concerns about the SEC’s actions, characterising them as a “misguided and improper enforcement action.” He sees these charges as regressive and detrimental to the industry’s progress in cybersecurity.

Ramakrishna also voiced apprehension that the SEC’s actions might hinder information-sharing among cybersecurity professionals and disrupt public-private partnerships. The company views the charges as an example of regulatory overreach and plans to clarify its position in court.

Takeaways

The SEC’s charges against SolarWinds are set to transform the landscape of cybersecurity accountability and the responsibilities of CISOs. These charges underscore the importance of CISOs diligently documenting and escalating security concerns to upper management within their organisations.

This change will likely bring about significant shifts in the CISO role, organisational dynamics, and performance evaluations, affecting not just US-based companies, but those globally. The case underscores the necessity of a professionalized CISO community, including considerations such as Director and Officer liability insurance coverage and access to independent legal advice.

Moreover, these charges signal a shift in corporate reporting of security issues, influencing various aspects of information production, including IPO reporting, risk management, and breach reporting. Organisations need to recognise that other regulatory bodies, like the FTC, are also closely observing cybersecurity accuracy.

Lastly, increased risk aversion in legal duties could result in more thorough breach reports, increased transparency, and a more contentious legal environment post-breach, potentially impacting business value and stock market prices following security incidents.

In conclusion, the SEC’s charges against SolarWinds represent a pivotal moment for the cybersecurity industry, highlighting the need for increased accountability, transparency, and proactive efforts to mitigate cybersecurity risks. The role of CISOs is expected to evolve substantially, with wider implications for businesses across the globe.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.