The Securities and Exchange Commission on Monday charged software provider SolarWinds Corp. and its chief information-security officer with fraud and the failure to fully disclose cybersecurity weaknesses, following a historic cyberattack disclosed in 2020 that was purportedly backed by Russia.
SolarWinds
SWI,
-1.59%,
in a statement, called the allegations “unfounded” and accused the SEC of “overreach.” Shares of the company were down 0.2% in after-hours trade on Monday.
The SEC on Monday alleged that from at least SolarWinds’ October 2018 IPO through its December 2020 announcement that it had been targeted in the breach, the company and its chief information security officer, Timothy Brown, “defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
The SEC’s complaint alleged that despite warnings from employees, Brown “failed to resolve the issues or, at times, sufficiently raise them further within the company.” The agency is seeking civil penalties and an officer and director bar against Brown.
SolarWinds
SWI,
-1.59%
is based in Austin, Texas, and develops IT management software for businesses and governments. The attack, which exploited a software update, was one of the biggest ever, compromising scores of customers as well as government agencies and big companies like Microsoft Corp.
MSFT,
+2.27%.
Gurbir Grewal, director of the SEC’s enforcement division, alleged in a statement that “for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company.’”
A SolarWinds spokesperson accused the SEC of manufacturing claims against the company and Brown.
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” the spokesperson said in a statement.
“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country,” the representative continued.
The SEC, in its complaint, alleged that SolarWinds’ public statements ran contrary to the company’s own internal diagnosis of its cybersecurity practices.
The agency said that a 2018 company presentation, shared with Brown, called SolarWinds’ remote access set-up “not very secure.” The presentation added that someone taking advantage of the vulnerability “can basically do whatever without us detecting it until it’s too late,” potentially causing “major reputation and financial loss.”
Other presentations by Brown, during 2018 and 2019, allegedly stated that the “current state of security leaves us in a very vulnerable state for our critical assets,” according to the SEC’s complaint. The complaint also said that through 2019 and 2020, “multiple communications” among employees, including Brown, questioned SolarWinds’ cybersecurity defenses.
Alec Koch, a lawyer representing Brown, said the executive had performed his duties at the company with “diligence, integrity, and distinction.”
“Mr. Brown has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” Koch said in a statement.
Shares of SolarWinds are down 1.2% so far this year.