News & Insights

SEC Charges SolarWinds CISO

What happened?

On October 30, 2023, the Securities and Exchange Commission (“SEC”) announced charges against SolarWinds Corporation and its chief information security officer, Timothy G. Brown. The charges were for a combination of fraud and internal control failures related to allegedly knowing about cybersecurity risks and vulnerabilities.

The SEC’s complaint stated that Brown and SolarWinds misled investors by “overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks” from October 2018 to the December 2020 announcement of a two-year cyberattack, “SUNBURST”. SolarWinds allegedly only notified investors of “generic and hypothetical risks” when, in reality, Brown and SolarWinds were aware of specific gaps in their cybersecurity practices and increasing risks.

Additionally, the SEC’s complaint further states that there were numerous communications between Brown and SolarWinds employees in 2019 and 2020 that questioned their ability to safeguard critical assets from a cyberattack. According to the charges, Brown was aware of these cybersecurity risks and vulnerabilities but failed to resolve them or raise them for further action. As a result, SolarWinds allegedly could not provide adequate assurances that valuable assets, including the Orion product, were sufficiently protected.

In conclusion, the SEC’s complaint, filed in the Southern District of New York, states that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.

Next Steps:

CISOs, CCOs, and those overseeing a firm’s cybersecurity measures should be aware that they are responsible for their firm’s cybersecurity program and adequately disclosing risk. They should keep in mind that they could face legal implications if proper processes are not maintained or adequate disclosures are not made.

They should remain informed regarding best practices and regulations provided by the SEC when remediating and disclosing a cybersecurity incident.

Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding training, phishing, and vendor due diligence. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.