TechTaffy

tech:

taffy

SEC charges SolarWinds and its CISO with fraud over cybersecurity failures

By TechTaffy Desk

The U.S. Securities and Exchange Commission (SEC) has filed charges against Austin-based software firm SolarWinds and its chief information security officer, Timothy Brown.

This appears to be the first time that the SEC is suing a company for intent to deceive stakeholders regarding cybersecurity, as well as failure to build internal checks and balances for security. This is also the first time that the SEC has brought action against a chief information security officer (CISO) in a cybersecurity enforcement action.

The SEC’s allegations focus on misleading investors regarding the company’s cybersecurity measures and not disclosing known risks. These actions span nearly two years from the company’s initial public offering in October 2018 until the public announcement of a large-scale cyberattack in December 2020, named SUNBURST.

In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

According to the SEC’s complaint, SolarWinds’ public disclosures about its cybersecurity posture were inconsistent with internal evaluations. An internal report from 2018, prepared by an engineer, raised concerns about the company’s remote access security. The report was shared internally, including with Mr. Brown. The document highlighted that an attacker exploiting these vulnerabilities could go undetected, potentially causing severe financial and reputational damage to the company.

Additionally, presentations by Mr. Brown in 2018 and 2019 flagged the company’s weak state of security, particularly concerning access and privileges to critical systems. Several communications between SolarWinds employees between 2019 and 2020 questioned the company’s ability to secure its critical assets from cyberattacks.

The SEC complaint alleges that despite being aware of these issues, adequate steps were not taken to resolve them or escalate them within the organization. The inability to secure its key assets, including its flagship Orion product, resulted in a lack of reasonable assurances for its protection.

After SolarWinds disclosed the SUNBURST attack in a Form 8-K filing on December 14, 2020, the company’s stock price dropped by approximately 25% in the following two days and by around 35% by the end of the month.

The SEC’s lawsuit, filed in the Southern District of New York, seeks a variety of penalties against both SolarWinds and Mr. Brown, including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and a bar against Brown serving as an officer or director.

Just in

Seed

Oso Semiconductor raises $5.2M

Oso Semiconductor has raised $5.2 million in seed funding. The round was led by Engine Ventures.
People

Battelle appoints Tim Ryan to board of directors

Battelle has elected Tim Ryan, Citi’s Head of Technology and Business Enablement, to its board of directors.
Around the web

OpenAI launches ChatGPT Gov for U.S. government agencies — CNBC

It’s called ChatGPT Gov and was built specifically for U.S. government use; writes Hayden Field. 
Around the web

DeepSeek’s popular AI app is explicitly sending US data to China — Wired

Users have already reported several examples of DeepSeek censoring content that is critical of China or its policies, writes Matt Burgess and Lily Hay Newman. 
Around the web

DeepSeek hit with large-scale cyberattack, says it’s limiting registrations — CNBC

DeepSeek on Monday said it would temporarily limit user registrations “due to large-scale malicious attacks” on its services; writes Hayden Field.