Cyber risk – don’t gloss over it: SEC targets SolarWinds Corp and CISO over cybersecurity weaknesses.

In a statement released this week the US Securities and Exchange Commission (SEC) confirmed that it has announced charges against SolarWinds Corp as well as its chief information security officer (CISO).

The allegations levied by the SEC relate to the alleged overstating of the company’s cybersecurity posture, or failure to disclose cybersecurity risks that were within the company’s knowledge. The SEC says that the company misled investors by disclosing only generic and hypothetical risks instead of specific, known deficiencies as well as the elevated risk faced by the company. These failings, says the SEC, amount to fraud and internal control failures around cybersecurity risks and vulnerabilities.

If you hadn’t heard, SolarWinds was subject to a serious cyber-espionage attack in 2019 affecting its Orion IT system management platform – known as the Sunburst attack. The attack was described by the Cybersecurity & Infrastructure Security Agency (CISA) as posing a “grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.” 

SolarWinds had its IPO in October 2018, and the SEC has taken issue with SolarWinds’s public statements about its cybersecurity practices which it describes as being “at odds” with its internal assessments. Some of those internal assessments include:

• A presentation in 2018 by a SolarWinds engineer in which it was highlighted that SolarWinds’ remote access setup was ‘not very secure’ and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late.”
• Presentations by the CISO in 2018 and 2019 stating that the “current state of security leaves us in a very vulnerable state for our critical assets”, and that “access and privilege to critical systems/data is inappropriate.”

There were also allegedly a number of internal communications in 2019 and 2020 which questioned SolarWinds’ ability to protect its critical assets from cyberattacks. The CISO was involved in these discussions and was a recipient of an internal document in September 2020 which said, “the volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve.”

It is said that the CISO knew about the extent of SolarWinds’ cybersecurity risks yet did not resolve the issues or did not raise them further within the company. This led, says the SEC, to the company being unable to provide reasonable assurances that its assets – including Orion – were adequately protected.

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said:

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

The matters advanced by the SEC remain allegations at this stage. SolarWinds has described the SEC’s action as an “overreach” and has said that it will fight the “unfounded” allegations in court.

Nonetheless, the SEC’s announcement serves as a stark reminder to companies and to CISOs that there’s little to be gained by being coy about cyber risks. Regardless of the specific legal issues which arise in this case, the principles of empowerment, openness and dealing properly with cyber risk and vulnerability transcend jurisdictional issues and will confer benefit (when done right) regardless of location. That said, undoubtedly organisations with a US presence will be keeping a close eye on this case as it progresses.

CISOs should be empowered to speak up within organisations and be able to escalate concerns. This requires effort from companies’ senior leadership and chain of command, as well as from CISOs themselves. CISOs should document concerns contemporaneously and ensure that they are reported upwards. The benefits are not confined to avoiding regulatory charges or criminal offences (at the very sharpest end of the spectrum, obstruction-related offences are very much on the table, of the sort seen in the conviction of Joseph Sullivan of Uber). An environment of trust and empowerment breads a culture of constructive checks and challenges where specialists’ expertise is respected and taken seriously, and where those who need to speak up and report concerns feel safe to do so.

Don’t let the catalyst for change in your organisation be a very public, very damaging attack followed by scathing legal and regulatory proceedings. Do it the other way around. Embed a culture of empowerment, take cyber risks seriously, be upfront about them and confront them, and avoid those risks as best you can.

Here at CyXcel, we believe in a world where organisations use information and tech to their advantage and where risks are identified, and mitigated against, early. Our unique blend of technical, consulting, and legal expertise all under one roof means we can help you get under the skin of your organisational structures and to strengthen your security and reporting mechanisms.

CyXcel – the edge when it matters.