Sarah Travers
In a bold move, U.S. regulators have filed a lawsuit against SolarWinds, a prominent Texas-based technology company, and its top security executive, Tim Brown. This legal action comes in response to a massive 2020 Russian cyberespionage campaign that targeted SolarWinds’ software, leading to a significant breach.
The company is accused of failing to disclose critical security deficiencies prior to the notorious hack, which had far-reaching consequences, impacting U.S. government agencies and over 100 private companies.
The Damning Accusations
The Securities and Exchange Commission (SEC) has filed a 68-page complaint in New York federal court, detailing how SolarWinds and Brown allegedly defrauded investors and customers by concealing the company’s inadequate cybersecurity practices and the increasing risks it faced.
In October 2018, an internal presentation at SolarWinds highlighted the company’s vulnerable security state, potentially leading to substantial financial and reputational losses. Over the next two years, multiple communications within the company questioned SolarWinds’ ability to protect its critical assets from cyberattacks.
The Significant Impact of the Hack
In December 2020, the SolarWinds hack was discovered to have infiltrated U.S. government departments such as Justice and Homeland Security.
This almost two-year-long campaign of espionage led to the compromise of thousands of customers, with Russian cyber agents covertly infiltrating specific targets, including U.S. government agencies, as well as notable software and telecommunications companies. Victims of the hack included the New York federal prosecutors’ office, the then-acting Homeland Security Secretary Chad Wolf, and members of the department’s cybersecurity staff.
SolarWinds and Brown’s Defense
SolarWinds has strongly disputed the charges brought forth by the SEC, expressing deep concern about potential national security risks associated with the agency’s action. The company provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies across North America, Europe, Asia, and the Middle East.
Tim Brown, whose current title at SolarWinds is chief information security officer, is said to have performed his responsibilities with diligence and integrity. Brown and SolarWinds are prepared to challenge the inaccuracies in the SEC’s complaint.
Wrapping Up the Legal Maelstrom
The SEC’s lawsuit against SolarWinds and Tim Brown marks a significant development in the ongoing efforts to hold companies accountable for cybersecurity lapses and failures to disclose vulnerabilities.
The Biden administration has been particularly proactive in this area, with the SEC adopting new rules in July that require publicly traded companies to disclose all cybersecurity breaches within four days, subject to certain exceptions for national security or public safety concerns.
As the legal proceedings unfold, it remains to be seen how this case will impact the cybersecurity industry and the practices of other companies in safeguarding their digital assets.
