Legal and risk management experts say the Securities and Exchange Commission’s decision to file fraud charges against SolarWinds should be considered a warning for all public companies to heed the agency's new cyber disclosure requirements.
The SEC charged the company and CISO Tim Brown with defrauding investors, alleging the company covered up vulnerabilities and overstated its security benefits leading up to the December 2020 Sunburst attack.
SolarWinds could face considerable financial penalties and Brown, who was promoted to CISO months after the attack, could be permanently barred from working as a corporate officer or director if the SEC prevails.
“The SEC has made it abundantly clear that organizations need to take the new disclosure mandates very seriously,” John Farley, managing director of the cyber liability practice at Gallagher, said via email. “Their public disclosures specific to their cyber risk management strategies must reflect reality and be put in practice every day.”
The SolarWinds case comes less than two months after the SEC’s new disclosure rules took effect, requiring publicly traded companies to disclose material cyber incidents.
Following a short grace period, companies will have to report cybersecurity incidents on a form 8-K within four days of determining materiality. Companies will also have to file annual disclosures about board oversight and the role of management in the company’s cybersecurity risk strategy.
Industry shockwaves
The SEC case sent shock waves across the industry, as the complaint outlined detailed internal emails, documents and other evidence showing Brown and other executives openly discussed considerable concerns about security vulnerabilities and other internal weaknesses at SolarWinds.
For example, in 2018, a network engineer at SolarWinds identified a security gap in the company’s remote access virtual private network that could allow an outside device to gain access to the company. The engineer warned the configuration was "not very secure" and could allow a threat actor undetected access.
In another example, a 2018 email to senior managers indicated the SolarWinds Secure Development Lifecycle was false and executives worked to conceal the false nature of the claim until the company had time to make it true.
“They knew what their environment was,” attorney Aaron Tantleff, a partner at Foley & Lardner, said.
SolarWinds also internally acknowledged it wasn't taking proper controls, but made statements to the contrary in public.
The lawsuit against SolarWinds is not the first time the SEC has taken action over cybersecurity disclosures. Earlier this year, the agency charged Blackbaud, an educational software company, with making misleading statements about a 2020 ransomware attack. The company agreed to pay $3 million to settle the charges.
Corey Thomas, CEO of Rapid7, speaking during a quarterly conference call Wednesday, said the current threat environment and the recent SEC crackdown is having an impact on how CISOs view their security priorities.
“CISO’s especially with some of the SEC’s recent actions as it relates to SolarWinds and other things, are clearly very focused on security and their own personal accountability,” Thomas said in response to an analyst’s question. “And so they have security as a top priority.”
The SEC’s action comes at a time when federal and state authorities are more focused on protecting consumer data and making sure companies maintain proper internal controls. Authorities are also sending a message that companies need to remain transparent when something goes wrong.
In 2022, the former Uber CSO Joseph Sullivan was found guilty of obstruction after he covered up a 2016 ransomware attack while the Federal Trade Commission was investigating the company on a prior data security incident.
Later in 2022, the FTC ordered Drizly, an online liquor marketplace and subsidiary of Uber, to reform its data security practices after the company failed to secure its environment leading up to a 2020 hack. The FTC also ordered Drizly CEO James Rellas to implement a data security program at any future company he moves onto.
Companies are now beginning to realize that the SEC will put teeth behind its new incident disclosure requirements. The agency is sending a message that corporations must be transparent in how they present their security risks to the investment community, according to lawyers.
Through the new rules and its enforcement action, the SEC is making it clear “that cybersecurity requires the attention of senior most executives,” said Michael Bahar, a partner and co-lead of global cybersecurity and data privacy at Eversheds Sutherland.
“Second, the SEC is warning that companies which do not err on the side of disclosure, risk being found in error,” Bahar said.
SolarWinds for its part, vehemently denied the allegations. The company, in regulatory filings and in a posted blog, said it has embraced secure development practices and cited its collaborative relationship with federal authorities to raise the industry standards of secure-by-design practices.
“Our commitment to transparent communication has extended beyond customers to the entire industry and our government partners,” SolarWinds CEO Sudhakar Ramakrishna said in the blog post. “We made a deliberate choice to speak — candidly and frequently — with the goal of sharing what we learned to make others more secure.”