In a surprising move, the US Securities and Exchange Commission (SEC) announced yesterday that it will be suing both the software company SolarWinds and its chief information security officer (CISO) over the 2020 SUNBURST cyberattacks. The SEC alleges that SolarWinds and its CISO failed to disclose material information about the security breach that affected thousands of its customers, including several federal agencies and Fortune 500 companies. The SEC also claims that SolarWinds and its CISO misled investors and the public about the nature, extent, and impact of the cyberattacks, which were attributed to a sophisticated nation-state actor.
The SEC's complaint, filed in the US District Court for the Southern District of New York, seeks injunctive relief, civil penalties, disgorgement of ill-gotten gains, and officer-and-director bars against SolarWinds and its CISO. The SEC argues that SolarWinds and its CISO violated the antifraud provisions of the federal securities laws, as well as the reporting, books and records, and internal controls provisions. The SEC also charges SolarWinds with making false and misleading statements in its periodic filings and press releases.
The SEC's action is unprecedented in the cybersecurity field, as it is the first time that the agency has sued a company and its CISO for failing to disclose a security breach. The SEC's action also raises several legal and ethical questions, such as:
What are the duties and responsibilities of a CISO in relation to cybersecurity incidents?
What are the standards and criteria for determining materiality and disclosure obligations in cybersecurity matters?
What are the potential consequences and implications of the SEC's action for SolarWinds, its CISO, and other companies and CISOs in similar situations?
These questions are likely to be debated and litigated in the coming months, as the SEC's action may have a significant impact on the cybersecurity industry and practice. The SEC's action may also prompt other regulators and stakeholders to take similar or complementary actions against SolarWinds and its CISO, or against other companies and CISOs involved in cybersecurity incidents. The SEC's action may also encourage more transparency and accountability in cybersecurity governance and reporting, as well as more investment and innovation in cybersecurity solutions and services.
From the SolarWinds Side
SolarWinds has issued a statement in response to the lawsuit filed by the SEC, in which the company claims that the SEC's lawsuit is "fundamentally flawed" both from a legal and factual perspective, and that it will be defending itself vigorously against the charges.
SolarWinds argues that the SEC's lawsuit is based on a "misunderstanding of the facts and circumstances surrounding the cyberattack". The company says that it acted promptly and responsibly to notify its customers, regulators, law enforcement, and the public about the breach, and that it cooperated fully with the investigations. SolarWinds also asserts that it followed industry best practices and standards for security, and that it did not have any material nonpublic information about the cyberattack when it made its public statements.
Furthermore, SolarWinds contends that the SEC's lawsuit "threatens to harm security by pressuring companies to disclose sensitive security information in public filings". The company says that such disclosures could expose companies to further attacks and compromise their ability to protect their customers and networks. SolarWinds maintains that it has a duty to balance the need for transparency with the need for security, and that it has done so in good faith and in compliance with the law.
Still, findings that were unearthed through the SEC's investigation were such issues as a software development life cycle (SDLC) that was out of compliance with the policies—and still was after two and a half years of leadership being informed this was the case.
Other allegations made against SolarWinds, based on the thoughts expressed by security employees, related to the concerns repeatedly expressed by SolarWinds staff. Some were disgusted by the company's security posture, while one network engineer complained that the company was filing more vulnerabilities than they could feasibly fix. All of this speaks to a lack of sufficient security understanding and prioritization among the company’s leadership. This is a common trap into which organizations of all shapes and sizes fall, and it requires diplomatic effort on the part of expert security team members to help organizations overcome the issue.
Next Steps
Webcheck Security provides exactly that type of expert security input to help bring about necessary changes in an organization. These are provided via its consultation services, either through audit preparation and compliance assessment engagements or through ongoing, integrated fractional CISO (aka, FISO) services by which highly experienced CISOs are able to act as part of your organization. Contact Webcheck Security today to discuss your needs and how we can address them.