PUBLISHED ON: November 22, 2023
A new era of cyberrisk was ushered in with the litigation initiated by the U.S. Securities and Exchange Commission (SEC) against SolarWinds Corporation, and its chief information security officer (CISO). The SEC alleges fraud arising from failures to adequately disclose known cybersecurity vulnerabilities that ultimately resulted in a massive supply chain cyberattack.
In the case, cyber criminals were able to exploit vulnerabilities in SolarWinds’ virtual private network to gain access to the software and cybersecurity company’s systems. The hackers planted malware, known as SUNBURST, into Orion software products, which was then delivered to 18,000 SolarWinds’ customers, thus providing the hackers with access to those customers’ systems. The breach affected not only private businesses, but various cybersecurity companies that used the Orion software, as well as some key governmental agencies, including the U.S. Departments of Health, Treasury and State. The attack was not discovered and reported until December 2020, more than a year after attackers apparently first accessed SolarWinds’ systems.
In its complaint, which was filed in New York federal court on October 30, the SEC alleges SolarWinds and its CISO knew for several years prior to the cyberattack that its systems were vulnerable and could be compromised even as they pronounced their systems secure. Rather than attempting to shore up the vulnerabilities, the complaint further alleges that SolarWinds misrepresented the adequacy of security controls and failed to disclose the known vulnerabilities in published corporate statements and regulatory filings, thereby misleading investors about material information.
The SEC’s complaint clarifies that SolarWinds was not sued because it suffered a cyberattack, but rather because SolarWinds’ poor cybersecurity controls and false and misleading statements to investors violated federal securities laws. The SEC alleges these violations included SolarWinds’ incomplete and misleading disclosures in a December 2020 Form 8-k regarding the nature and true extent of the cyberattack. According to the SEC, the cyberattack merely brought SolarWinds’ violations to light.
To read this full article, click here or download PDF.