Business

SolarWinds faces SEC lawsuit after 2020 hack

2 Mins read

Stay informed with free updates

SolarWinds, the IT company breached by Russian hackers as part of a sprawling espionage campaign in 2020, has been sued by the US Securities and Exchange Commission.

The SEC on Monday filed a complaint accusing the company and chief information security officer Tim Brown of misleading investors by not disclosing “known risks” and not accurately representing its cyber security measures.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement.

The alleged wrongdoing occurred from at least the company’s initial public offering in October 2018 to December 2020, when one of the biggest cyber attacks in recent history put a spotlight on what until then had been a little-known Austin-based supply chain company. Hackers backed by Russian intelligence exploited a SolarWinds software product in order to spy on businesses and government organisations globally, including the US commerce and Treasury departments.

A SolarWinds spokesperson said the company was “disappointed by the SEC’s unfounded charges”. Lawyers representing Brown said he had “performed his responsibilities at SolarWinds . . . with diligence, integrity, and distinction” and said they looked forward to “defending his reputation”.

The SEC’s action is the first time it has attempted to hold a chief information security officer personally liable for cyber security failures. Gary Gensler, SEC chair, has turned his focus to cyber risks, including proposing rules to broaden companies’ disclosures.

According to the complaint, Brown wrote in an internal presentation in 2018 that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets”. The deal’s IPO registration documents, however, had only mentioned “generic and hypothetical cyber security risk disclosures”, the SEC said.

A SolarWinds engineer told Brown in 2020 that he was “spooked” by activity at one of their customers, to which the executive replied saying the matter was “very concerning”, according to the complaint. “As you guys know our backends are not that resilient and we should definitely make them better,” he added, according to the complaint.

The complaint also quoted internal communications warning in 2020 that “[t]he volume of security issues being identified over the last month have outstripped the capacity of engineering teams to resolve”. 

The SEC alleged that these shortcomings were exploited in what it called “one of the worst cyber security incidents in history”, which unfolded between January 2019 and December 2020, according to the complaint.

A SolarWinds manager in November 2020 wrote in an instant message: “[E]very time I hear about our head geeks talking about security I want to throw up.”

Read the full article here

Related posts
Business

Private equity payouts fell 50% short in 2024

2 Mins read
Stay informed with free updates Simply sign up to the Private equity myFT Digest — delivered directly to your inbox. Private equity…
Business

Private equity investors trapped in China as top firms fail to find exit deals

3 Mins read
Stay informed with free updates Simply sign up to the Private equity myFT Digest — delivered directly to your inbox. The world’s…
Business

Russia aims to be global leader in nuclear power plant construction

3 Mins read
Stay informed with free updates Simply sign up to the Russian politics myFT Digest — delivered directly to your inbox. Russia is…
Get The Latest News

Subscribe to get the top fintech and
finance news and updates.

Leave a Reply

Your email address will not be published. Required fields are marked *