Information technology firm SolarWinds, which was targeted by a Russian-backed hacking group in one of the worst cyber-espionage incidents in U.S. history in 2019, committed fraud and failed to maintain adequate internal controls for years prior to the hack, the Securities and Exchange Commission alleged in a lawsuit.
The suit, filed Monday, also names SolarWinds’ chief information security officer Tim Brown, and alleges that the company overstated its cybersecurity practices and understated known vulnerabilities in the company’s systems.
SolarWinds shares dropped 1.5% on Tuesday.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” SEC enforcement director Gurbir Grewal said in a press release.
SolarWinds went public in 2018, and made only “generic” disclosures about cybersecurity risk in both its prospectus and in continued filings, the complaint said. However, the SEC alleged that SolarWinds and Brown knew that the company’s cybersecurity practices were weak, pointing to an internal presentation from Brown that was made the same month SolarWinds went public.
SolarWinds’ “current state of security leaves us in a very vulnerable state,” Brown allegedly wrote in the presentation. The SEC complaint cited numerous internal emails and messages that openly discussed alleged false statements made by the company, material risks in its cybersecurity systems, and products “riddled” with vulnerabilities.
It appears to be one of the first times the SEC has alleged a company misled and defrauded investors over cybersecurity risks.
The attack was particularly severe because numerous government agencies relied on SolarWinds’ “crown jewel” Orion software. Orion is used to manage technology and I.T. systems. It was compromised by a Russian-aligned group codenamed Nobelium in 2019, a hack that remained undetected through most of 2020.
The myriad vulnerabilities known by the company weren’t acknowledged in the company’s regulatory disclosures, the SEC alleged, and some directly led to the Russian-backed hack of Orion.
“Can’t really figure out how to unf**k this situation,” an information security employee allegedly said when describing flaws in their flagship Orion product to a manager in a 2020 message cited by the complaint. Solarwinds filed a regulatory disclosure acknowledging the hack in December 2020, a month after the employee allegedly messaged their manager. The filing was drafted by Brown, among other executives, and signed by SolarWinds’ then-CEO Kevin Thompson.
The SEC alleged that SolarWinds, despite acknowledging the hack, failed to disclose that the vulnerability that the Russian hackers exploited had also been exploited to target other SolarWinds customers, including two unnamed cybersecurity firms and one unnamed federal agency.
The 68-page complaint accuses the company and Brown of misleading investors about compliance with widely accepted cybersecurity frameworks, falsely claiming that SolarWinds had a strong password policy, and falsely claiming SolarWinds had strong access controls while “for years” maintaining weak controls that granted employees administrative access “routinely and pervasively.”
The complaint also cited specific alleged misstatements by Brown, who is still SolarWinds’ CISO. From 2019 through 2020, Brown allegedly made numerous public statements claiming that the company was “focused” on “hygiene” and “cyber best practices” on blogs, podcasts, and websites. In reality, Brown knew that the company was not following those best practices, the SEC alleged.
“A reasonable investor, considering whether to purchase or sell SolarWinds stock, would have considered it important to know the true state of SolarWinds’ security, especially regarding the state of the Company’s access controls for ‘information systems’ and ‘sensitive data,'” the SEC said in the complaint.
The suit comes as major corporations prepare for a new cyber disclosure rule that would require companies to report cybersecurity incidents within a few days of discovery. Regulators have begun to pay increasing attention to hacks, in the wake of significant breaches that materially impacted corporations from Clorox to MGM Resorts.
In a statement Monday, the company said it believed the SEC was pursuing “a misguided and improper enforcement action against us.” SolarWinds also filed the statement with the SEC.
“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards,” the filing from SolarWinds CEO Sudhakar Ramakrishna, referring to the codename for the hack.
A SolarWinds spokesperson said in a statement the SEC’s charges are unfounded and that it will contest them in court. The company said it has been engaging with the SEC for three years and emphasized that it is fully supporting Brown, who will continue to serve as SolarWinds’ CISO.
“Mr. Brown has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” Brown’s attorney Alec Koch said in a statement to CNBC.
Correction: SolarWinds is an information technology firm. An earlier version mischaracterized the company’s industry.