Privacy & Information Security Law Blog

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC”) announced charges against SolarWinds Corporation and its Chief Information Security Officer (“CISO”), Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The SEC’s complaint alleges that, from SolarWinds’ October 2018 initial public offering through its December 2020 8-K filing, the company was the target of a massive, nearly two-year long cyberattack, known as SUNBURST, and defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks. The SEC has alleged that SolarWinds (1) mislead investors by disclosing only generic and hypothetical risks when the company and Brown allegedly knew of specific deficiencies in SolarWinds’ cybersecurity practices; (2) issued public statements about its cybersecurity practices and risks that were allegedly at odds with its internal assessments; and (3) discussed internally in 2019 and 2020 questions regarding the company’s ability to protect its critical assets from cyberattacks; and (4) made an incomplete disclosure about the SUNBURST attack in the company’s Form 8-K filing on December 14, 2020. In addition, the SEC alleged that Timothy Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but did not resolve the issues or sufficiently raise them further within the company.

The SEC’s complaint alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934, and the reporting and internal controls provisions of the Exchange Act. The complaint further alleges that Brown aided and abetted the company’s violations. The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties and an officer and director bar against Brown. In response to the SEC’s complaint, SolarWinds’ CEO issued a statement, which states “it is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.” In the statement, SolarWinds further provides that it “will vigorously oppose this action by the SEC.”