In a first, bold move by the Securities and Exchange Commission (SEC) following its new Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, issued on July 26, 2023, this week, the SEC filed suit against SolarWinds and its Chief Information Security Officer (CISO) alleging that SolarWinds and its CISO for years “ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company…and engaged in a campaign to paint a false picture” of its “cyber controls environment thereby depriving investors of accurate material information.”
The complaint against SolarWinds and its CISO outlines in detail internal statements made by SolarWinds and its CISO in emails, instant messages and presentations about SolarWinds’ security flaws and deficiencies.
The complaint should be a wake-up call to all public companies that the SEC is serious about holding executives responsible for following its cybersecurity guidelines and shoring up cybersecurity deficiencies. It is also a textbook case of how internal communications can, and will, be used by regulators and litigators to bolster a case, whether those communications are believed to be taken out of context or not. Internal communications like “Even if we start to hire like crazy, which we will most likely not, it will still take years. Can’t really figure out how to unf**ck this situation. Not good” will never be read in the most favorable light to the defendant.
Statement from SolarWinds spokesperson:
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments. The truth of the matter is that SolarWinds maintained appropriate cyber security controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats.”