You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As described by NPR in 2021, the hack was  “believed to be directed by the Russian intelligence service, the SVR,” which used a “routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.” It was estimated that 18,000 customers were affected, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.  The SEC filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” The gist of the complaint, as alleged by the SEC, is that many red flags emerged and incidents occurred, well known among company employees, that should have spurred the company and its CISO to take action to address serious cyber vulnerabilities, including vulnerabilities related to the company’s “crown jewel” assets.  Instead, the SEC charged, the CISO “failed to resolve the issues or, at times, sufficiently raise them further within the company.” Compounding that failure, the SEC alleged, perhaps more importantly from the SEC’s perspective, the Company and the CISO misled investors with a deceptive depiction of the Company’s cyber controls environment that “concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks.”  It was only after the massive cyberattack that the “true state of SolarWinds’ cybersecurity practices, controls, and risks ultimately came to light.” (See this PubCo post.) As discussed in this blogpost, Fatal Flaws in SEC’s Amended Complaint Against SolarWinds, from our White Collar Defense and Investigations group, this case has developed into a very high-stakes contest.  

As described in the post, last month, a coalition of over fifty cybersecurity leaders and organizations from the business community, the software industry and former law enforcement joined an amicus brief calling for dismissal of the SEC’s amended complaint against SolarWinds and its CISO.  The brief contended that “the SEC’s latest allegations against SolarWinds and Brown—the first time in history that the SEC has charged a CISO with securities violations—are counterproductive for cybersecurity and national security.” According to the post, the SEC’s charges “also provide a stark warning for companies, executives, and cybersecurity professionals that the SEC remains committed to policing cybersecurity in the years to come.”  Check it out!

Posted by Cydney Posner