5 minute read | November.29.2023
The U.S. Securities and Exchange Commission (SEC) has filed a fraud suit against SolarWinds and its chief information security officer (CISO), alleging they made false statements regarding the company’s security practices and a security incident.
The crux of the claims is that the company and its CISO misrepresented company practices regarding the adoption of the NIST Cybersecurity Framework, implementation of a secure development lifecycle for products and password and access controls.
The SEC also alleges that SolarWinds lacked required disclosure controls and procedures, which allegedly resulted in the company making false statements regarding a 2020 security event.
Here are three things companies should consider doing in light of the SEC’s suit against Solar Winds:
1. Review disclosures and public statements regarding cybersecurity practices.
2. Prepare for new rules.
3. Assess disclosure controls and procedures.
On December 14, 2020, SolarWinds filed a Form 8-K stating that the company had been informed of a vulnerability in its Orion Software Platform resulting from a cyberattack. It was later reported that a Russian state-sponsored actor compromised SolarWinds’ systems and used that access to create a vulnerability in Orion code the actor could exploit on Orion customer systems. This was known as the SUNBURST incident.
SolarWinds disclosed this year that the company and several of its executives had received notices indicating they were the targets of an ongoing SEC investigation into the company’s handling of the incident.
On October 30, the SEC filed a civil action against the company and its CISO, alleging they made a variety of false statements prior to and following the SUNBURST incident and that the company had inadequate accounting and disclosure controls.
The SEC alleges that SolarWinds made false statements in a Security Statement on SolarWinds’ website as well as in SolarWinds’ Form 10-K, 10-Q, S-1 and S-3 Registration Statements. The action against the CISO is premised on his name and photo appearing on the Security Statement and his sub-certifications of the registration statements.