In the lawsuit, the plaintiffs allege that CISO Timothy Brown, who was in charge of managing the company's software supply chain at the time of the massive cyberattack, has failed to disclose critical information regarding the attack.
Several government agencies, corporations, and government-related organizations across the world rely on SolarWinds' product solutions. As a result of the complex attack, which is widely attributed to state-sponsored Russian hackers, numerous networks have been compromised. As a result of this breach, a significant amount of attention was paid to cybersecurity, and several hacks, investigations, and regulatory concerns followed.
The hacker's identity has been confirmed as being a Russian government-linked hacker, and the company has been infiltrated with malicious code through its IT monitoring and management tool Orion, which was reportedly injected by them.
A hack affecting more than 18,000 organizations worldwide was initially estimated to have occurred in October of last year, including the U.S. Dept of State and Homeland Security Department as well as the National Security Agency, as well as Microsoft Corporation. Nevertheless, SolarWinds later estimated that there were under 100 customers who had been affected by this.
SolarWinds and Brown are being charged by the SEC for fraud and a failure to comply with internal controls relating to alleged threats and vulnerabilities related to cybersecurity. It is alleged in the complaint that since the date of SolarWinds' first public offering in October 2018, until December 2020, when it announced that it had been hacked, SolarWinds and Brown have been defrauding investors by overstating the company's cybersecurity practices and understating or failing to disclose certain risks that may have affected the company's investors.
It seems that the software maker and its chief information security officer are now facing charges of fraud and internal control failures. In an announcement released by the Securities and Exchange Commission (SEC) on Monday, it was alleged that SolarWinds and Brown misled investors about their cybersecurity practices, known security risks, and weaknesses throughout the company's history.
Earlier investigations into SolarWinds' hack concluded that attackers were in the company's network for at least two years before they were discovered, indicating the attackers were well embedded in the company's network.
It was alleged that Brown helped and abetted SolarWinds' violations of the Exchange Act's reporting and internal control provisions and that he was responsible for helping SolarWinds to breach these provisions.
There seems to be a lack of transparency in cybersecurity incident reporting, as highlighted by the SEC's recently implemented four-day reporting rule. It is stated in the complaint that the SEC seeks permanent injunctions, disgorgement with prejudgment interest, civil penalties, as well as a bar against Brown as an officer and director of the corporation.
In this case, the SEC has brought a lawsuit against a CISO that alleges that he has mismanaged cybersecurity risks in his organization, which is an extremely rare case.
In the suit, SolarWinds' chief information security officer is accused of knowing about vulnerabilities in the company's systems but failing to disclose them adequately to its investors, resulting in misleading statements in the company's SEC filings which the SEC claimed were fraudulent.
According to a variety of industry experts, the SEC's lawsuit has received mixed reviews.
The fact that CISOs are being held accountable is seen as a necessary step when it comes to holding them accountable for the actions that they take as a result of cyber security concerns.
CISOs are argued by some to be the most important individuals in the safeguarding of a company's digital assets, and they must be transparent about potential threats to their organization and the regulators as well.
The lawsuit has drawn the attention of many people, including SolarWinds itself, which claims it sets a problematic precedent. CISOs fear that sharing information about cyber threats within their organizations might lead to their being liable for legal action, so they are reluctant to do so. As a result, they say, the industry could have difficulties responding effectively to cyberattacks and protecting sensitive data as a result.
A blog post by Sudhakar Ramakrishna, President of SolarWinds, addressing the SEC's charges, states that the charges threaten a piece of open information sharing across the industry that cybersecurity experts think is necessary for our collective security.
Further, they might disenfranchise cybersecurity professionals across the country and put them out of action, thereby taking these cyber warriors out of active service.
It is likely that, in response to this lawsuit, many CISOs and cybersecurity professionals will examine their responsibilities and roles in a more detailed manner. Legal teams will be consulted by many of these employees for them to be clear about the legal risks associated with their positions.
To strike a balance between the transparency of their disclosure practices and their potential liability, others will surely revise them.
As a result of the COVID-19 pandemic and the rapid shift to remote work, companies continue to struggle to secure remote access. However, the Sophos report revealed that the problem persists, even though companies struggle to secure remote access.
According to the cybersecurity company's mid-year "Active Adversary Report," 95% of the attacks in the first half of 2023 were carried out via remote desktop protocol.
As a bonus, attackers are increasingly targeting VPNs as a means of gaining remote access, another area that's been difficult to defend for the last few years.
Even though attackers exploited a critical flaw that was disclosed in December, malicious activity against Fortinet VPN instances increased in February.
According to the report, CISOs, particularly those who oversee public companies, should take an inventory of their security programs and make sure that the information they share with the public is based on fact rather than spin, which is what is causing concerns.”
The SEC, which has filed this suit against privately held companies, is setting a new standard for security disclosures for those companies.
Until further notice, there is no way to predict what will happen about SolarWinds' lawsuit and what implications it will have on the cybersecurity industry in general. It serves as a stark reminder to all CISOs that, regardless of the outcome, they are constantly facing a complex landscape of legal and regulatory challenges, as well as a rapidly evolving role.
