The Securities and Exchange Commission (SEC) has made legal allegations against SolarWinds and its Chief Information Security Officer (CISO), Tim Brown, regarding fraud and internal control failures. The SEC accuses the Austin-based company and Brown of misleading investors by providing generic and hypothetical information about cybersecurity risks, despite being aware of specific issues in SolarWinds’ cybersecurity practices. The alleged misconduct covers the period from SolarWinds’ October 2018 IPO until the revelation in December 2020 that their Orion network monitoring product was compromised by Russian hackers.
The SEC is seeking a permanent ban on Tim Brown serving as an officer or director of a publicly traded company, alongside monetary penalties and the return of any ill-gotten gains. Although the stock price has only dropped by $0.01 (0.1%), SolarWinds vehemently disputes the allegations, asserting that the company had adequate cybersecurity controls prior to the Russian supply chain attack and that the SEC’s actions could impede industry-wide information sharing and public-private partnerships. Brown is being represented by King & Spalding, with a strong defense of his diligence and integrity in performing his role as CISO.
The SEC points to red flags dating back to at least June 2018, highlighting the failure to disclose significant security issues. Despite internal warnings and concerns expressed by SolarWinds’ engineering team and information security managers, the company continued to present an inaccurate picture of its cybersecurity practices. The enforcement action underscores the importance of accurate and transparent cybersecurity disclosures to protect investors and maintain the integrity of the industry. SEC Enforcement Division Director Gurbir Grewal encourages companies to implement strong controls and be forthright with investors about known cybersecurity concerns.