The Securities and Exchange Commission on Monday sued SolarWinds, the software company victimized by Russian-linked hackers over three years ago, alleging the firm defrauded shareholders by repeatedly misleading them about its cyber vulnerabilities and the ability of attackers to penetrate its systems.
The SEC’s lawsuit is a milestone in its evolving attempt to regulate how public companies deal with cybersecurity. A hack that steals business secrets or customer data often pummels the victim company’s stock price, showing why firms with public shareholders have to accurately disclose such threats, the SEC says. The regulator recently imposed stricter cybersecurity reporting rules for public companies.
The lawsuit also presents a different view of the breach of SolarWinds, which portrayed itself as the victim of a highly sophisticated intrusion that other government agencies said was part of a Russian espionage campaign. The intrusion went undiscovered for more than a year and gave intruders footholds in at least nine federal agencies that used SolarWinds’s software.
The SEC’s role in cybersecurity is controversial, with business groups saying its investigations can shift blame to the victim. Other law enforcement agencies prefer to keep quiet while they probe hackers and sometimes clash with the SEC over its demands for disclosure. The SolarWinds case is the first-time securities regulators have gone to court with civil fraud claims — the most serious charge at the agency’s disposal — against a public company over a hack.
“The SEC is improperly trying to appoint itself the cybersecurity police for public companies,” said Sean Berkowitz, an attorney for SolarWinds. “The agency’s overreach into this complex area should alarm all public companies and cybersecurity professionals across the country.”
Shares in SolarWinds, which fell about 1.6% on Monday before the SEC’s lawsuit became public, declined slightly further in after-hours trading.
In another first, the SEC’s court complaint filed in Manhattan federal court also named a SolarWinds security executive, Tim Brown. It is unusual for the SEC to sue public-company officers who don’t directly oversee or prepare the company’s financial statements.
An attorney for Brown said the SEC’s claims about him were inaccurate and that Brown plans to contest them in court. “Mr. Brown has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds,” attorney Alec Koch said.
The SEC alleged Brown was aware of major shortcomings with his company’s cyber defenses as the company underplayed the issue to investors. That contrast between what SolarWinds knew and what it said publicly is at the heart of the SEC’s fraud claim.
Brown’s awareness of information-security problems began as early as October 2018, when SolarWinds conducted its initial public offering, the SEC said. In an internal presentation he wrote that SolarWinds’s “current state of security leaves us in a very vulnerable state for our critical assets,” according to the lawsuit.
SolarWinds has said it learned about its central role in the breach only days before it first disclosed the attack to shareholders on Dec. 14, 2020. The initial disclosure said fewer than 18,000 customers could have been harmed by the breach. Within a few more days, SolarWinds told investors it had issued software updates for the vulnerabilities.
The true number wound up being much smaller — less than 100, according to a person familiar with the matter. SolarWinds believed its initial disclosure presented a worst-case scenario and told shareholders it was investigating the scope of the problem. The disclosure was thus more than adequate, its lawyers reasoned.
“SolarWinds is a U.S. company that was the victim of an incredibly sophisticated cyberattack by Russia,” said Berkowitz, the attorney for the company. “The SEC has now decided to re-victimize the victim. This decision will send a chilling message to the security community and hinder information-sharing across the industry.”
The SEC’s lawsuit says that while Sunburst has been attributed to a sophisticated nation-state actor, the company could have prevented the damage by addressing known vulnerabilities “through straightforward steps.” A series of attacks on its customers and other warnings highlighted the dire threats facing the company, the SEC said.
The intrusion began in January 2019 with the hackers accessing SolarWinds’s virtual private network, the SEC alleged in its lawsuit. A SolarWinds engineer had warned about the vulnerability a year earlier, through emails and as part of a presentation to managers, the SEC said. SolarWinds didn’t act on the concerns or update its disclosures to address them, the SEC said.
Companies use VPNs to create more secure connections for their employees to access corporate data. After gaining access to SolarWinds’s network and going undetected, the hackers took other steps that enabled their ultimate feat, inserting malicious code dubbed Sunburst into the company’s Orion software updates.
SolarWinds also learned in early 2020 that some of its smaller customers had suffered attacks that could be tied back to an intrusion of its own network, according to the SEC. The attacks displayed deep knowledge of SolarWinds’s products and customers, a red flag that should have been disclosed to investors, the agency said.
Another government agency told SolarWinds in May 2020 — six months before the disclosure — that its software was potentially compromised. SolarWinds failed to identify the cause of malicious activity reported by the government, the SEC said. That was another warning, but SolarWinds didn’t update its disclosures to reflect the more serious threats that it and its customers faced, the SEC said.
SolarWinds in July settled a class-action lawsuit filed by shareholders for $26 million. That lawsuit alleged SolarWinds misled investors by saying it had strong cybersecurity controls. The company didn’t admit wrongdoing.
The SEC also waged an aggressive effort to get information about the hack from hundreds of public companies that used SolarWinds’s Orion software. Attorneys for companies that received the letter said regulators wanted to know if the other firms accurately disclosed to their own shareholders how they were affected by the breach.
Microsoft and the cybersecurity company FireEye were among the companies affected by the incident. The Biden administration punished Russia for the breach, including through financial sanctions and diplomatic expulsions. Russia has denied involvement.
Separately, the SEC in July ratcheted up cybersecurity requirements on public companies. Commissioners approved a new regulation that requires disclosure of material cybersecurity problems within four days. The rule said disclosure could be delayed if the Justice Department determines the attack should remain confidential for national-security or public-safety reasons.