SEC Charges SolarWinds and CISO with Fraud for Security Failures
Date:
November 1, 2023
The U.S. Securities and Exchange Commission (SEC) announced enforcement actions against software services SolarWinds Corporation and the company’s chief information security officer, Timothy G. Brown, alleging fraud for internal control failures related to known security risks.
The complaint alleges that from the period following the company’s initial public offering through the December 2020 announcement that it was the victim of a two-year long cyberattack, SolarWinds and CISO Brown mislead investors by overstating the cybersecurity protections the company had in place and for not accurately disclosing known risks.
“In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time,” the SEC said in a statement.
The SEC also alleges that a series of communications between SolarWinds employees and Brown in 2019 and 2020 are evidence that the company was aware they could not adequately defend critical assets from attacks.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
Takeaway: More visibility and accountability in regard to security precautions at publicly traded companies is a good thing – that's a no-brainer. This enforcement action by the SEC appears to be based on deceptive practices by the company and its CISO, and they should of course be taken to task.
That said, in general terms we do have to be careful to not confuse disclosing information about a cyberattack with actually informing investors as to why an attack should be considered in their investment decisions.
Publicly traded companies are attacked every day, and if the company is relatively large, they may be attacked hundreds of times in a day. And the fact is, we you can’t stop cyberattacks, but we can stop an attack from being successful and attaining its intended objectives.
So, the real challenges with the recent SEC rules requiring disclosure of a "material” attack event within four days is going to be twofold: first, the onus is on corporate officers to decide if and when a security event reaches the threshold of being “material” for investors.
This leaves quite a bit of wiggle room and the potential for plausible deniability, and it could – if not structured correctly – produce a culture within companies where there is pressure on security teams to conceal security events from the executive suite, so security events go unreported.
The second challenge is whether or not investors are educated enough about all things cyber to know what to do with information following an incident – and this is the real rub here.
There can be a very significant amount of time that passes between “we are under attack” and “we understand the full nature of and potential impact of the attack.” Forensic investigations are complicated, and they take time – usually much more time than four days.
The disclosure rules set by the SEC, if not supported by investor education efforts, has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the situation that the SEC is requiring be reported.
Investors, once informed of an attack, will want the details and want them immediately. This could create situations where company leadership simply appears incompetent because they can’t answer tough questions about an event, in turn undermining investor confidence.
Also, the company's leadership would then be in a position where they trickle out incomplete information over time as the investigation progresses, and simply end up dying by a thousand cuts. Recall the fiasco that was Okta’s attempt to be transparent following a security event and how much damage it did to the company’s reputation.
The inability to provide concrete answers immediately will likely create confusion and anxiety for investors, causing them to overreact to an event that may or may not be a serious incident from a security standpoint.
Consider a denial of service (DoS) attack that takes a company’s web retail operation offline for a period could cost the company millions of dollars. This is definitely material and thus required to be reported.
But a DoS attack is not necessarily an existential event for a company compared to, let's say, a corporate espionage attack where no systems went down, no revenue was lost, but sensitive data like intellectual property were exfiltrated.
Material? Probably so. But such an attack could also be written off as a simple intrusion event and nothing else. The attackers got into the systems, the intrusion was detected, the security team evicted the attackers from the network, and it appears no damage was done.
That is, until two years later when a foreign-based startup emerges with basically the exact same product selling at a steeply discounted price because the new competitor has no R&D costs to recover.
This scenario would possibly be an existential event for the victim organization, but how could they possibly forecast this serious situation within four days of detecting the initial intrusion event?
Without a great deal of education for the investor community, in situations like this we might see shareholders fleeing every time a company gets hit with a relatively minor attack, crashing a company’s stock price, yet feel secure in their long-term investments at a company that is actually at significant risk of losing its competitive advantage.
While this is an overly simplified example, it drives home the point that any requirements on victim organizations to report material security events to investors needs to come with a concerted effort to educate investors on the nuances of attacks, security operations, and risk, or the SEC will just be creating more problems than they are actually solving.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.