In a recent turn of events, the Security and Exchange Commission (SEC) has filed charges against SolarWinds and its chief information security officer (CISO), Timothy G. Brown. The charges accuse them of misleading investors by not disclosing "known risks" and inaccurately representing the company's cybersecurity measures.
The charges stem from the 2020 Sunburst cyberattack, which affected thousands of customers in government agencies and companies globally. The SEC claims that SolarWinds violated reporting and internal controls provisions of the Exchange Act, with Brown aiding and abetting the company's violations.
This case is particularly significant because it brings attention to the role of a CISO. It highlights the need for CISOs of publicly listed companies to not only manage cyberattacks but also proactively inform customers and investors about their cybersecurity readiness and controls. The lawsuit emphasizes that there were red flags that the CISO failed to disclose, raising the importance of proactive security disclosure similar to how CFOs take financial information disclosure seriously.
However, the situation surrounding the CISO's involvement remains unclear. Agnidipta Sarkar, vice president for CISO Advisory at ColorTokens Inc., notes that the role of a CISO is complex, involving navigating internal politics and pushbacks. The CISO is exposed to external forces at a scale unlike any other CXO. Whether the CISO succumbed to pressure or was complicit in the hack is yet to be determined.
Prior to the filing of charges, the SEC had sent notices to SolarWinds staff, including the CFO and CISO, indicating possible legal action for violations of federal law in connection with their response to the Sunburst attack.
The SEC complaint alleges that SolarWinds downplayed security concerns in their public statements. Internal documents and presentations contradict the company's public disclosures regarding cybersecurity practices, risks, controls, and vulnerabilities. There were known material cybersecurity risks, control issues, and vulnerabilities that were not appropriately addressed. This discrepancy raises questions about the accuracy and transparency of SolarWinds' disclosures.
In response to the SEC charges, SolarWinds CEO, Sudhakar Ramakrishna, posted a blog expressing the company's denial of all charges. He called the SEC's action misguided and improper, stating that SolarWinds had maintained appropriate cybersecurity controls prior to and after the Sunburst incident. The company intends to vigorously oppose the SEC's enforcement action.
The SEC's complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
As this case unfolds, it serves as a reminder for companies to ensure that their disclosure on cybersecurity is materially correct. Transparent and accurate communication about cybersecurity risks and measures is crucial for building trust with stakeholders, investors, and customers. The SolarWinds incident highlights the need for proactive disclosure and the increased scrutiny placed on CISOs in publicly listed companies.