SEC: SolarWinds Defrauded Investors by Covering Up Cybersecurity Risks
The Securities and Exchange Commission is making an example of SolarWinds by charging the company with defrauding investors for allegedly failing to stop a massive breach at the IT company and covering up its negligent cybersecurity practices.
The US regulator is also going after SolarWinds Chief Information Security Officer Tim Brown for presiding over the violations, which ensnared the US government in 2020.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said SEC Enforcement Director Gurbir Grewal in the announcement.
In 2020, SolarWinds suffered a data breach involving suspected Russian hackers who tampered with the company’s software products to distribute malware to customers, including US government agencies. The SEC now alleges SolarWinds could have prevented the breach, since executives were aware the company’s cybersecurity posture had been lackluster for years, but neglected to act.
As evidence, the US regulator cites SolarWinds’ own internal reports, including a 2018 assessment shared with Brown, that pointed out the security vulnerabilities with one of the company’s own remote access systems.
“Network Engineer D warned that this setup was ‘not very secure’ and later explained that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late’ which could lead to a ‘major reputation and financial loss’ for SolarWinds,” alleges the SEC’s complaint, which notes two other internal reports warned about similar risks.
Despite the warnings, SolarWinds did little
Read more on pcmag.com
