In a recent development, the U.S. Securities and Exchange Commission (SEC) has filed a complaint in the Southern District of New York, accusing SolarWinds and its former Chief Information Security Officer (CISO) of committing securities fraud. The complaint alleges that the company and the CISO violated antifraud provisions by misleading investors about their cybersecurity practices.
The SEC's charges stem from alleged fraud and internal control failures related to known cybersecurity weaknesses within SolarWinds. The lawsuit claims that the company failed to disclose these gaps in their security practices, thereby defrauding investors. This news has sent shockwaves through the cybersecurity industry, with cybersecurity leaders expressing concern and reacting to the charges.
One of the key paragraphs in the filing was:
"Using their access, the threat actors inserted malicious code into three software builds for SolarWinds’ Orion products. SolarWinds then delivered these compromised products
to more than 18,000 customers across the globe. The malicious code provided the threat actors with the ability to access the systems of these compromised customers, provided certain other conditions were met, and became known as the SUNBURST attack."
Does your organization really know what is inside the third party software that you are using on a day to day basis?
The Federal Government in this filing is seeking to monetary damages and baring CISO Brown of being in a similar position in a public company.