SEC charges SolarWinds, CISO with fraud in 2020 supply chain attacks>
SC Media – Simon Hendery
SolarWinds and its chief information security officer (CISO), Tim Brown, have been charged with fraud by the U.S.
Securities and Exchange Commission (SEC) in relation to the 2020 Orion Sunburst supply chain attacks.
The SEC alleges that SolarWinds and Brown deceived investors by exaggerating the company’s cybersecurity practices and failing to disclose known risks.
Both the company and Brown have denied the allegations and plan to contest the case in the U.S.
District Court.
The charges come after the SEC sent “Wells Notices” earlier to indicate its intention to take action against them.
The supply chain attack involved threat actors gaining access to SolarWinds’ Orion software and distributing malicious updates, known as Sunburst, to approximately 1,800 customers between March and June 2020.
The SEC claims that Brown, who served as the company’s vice president of information security, was aware of the cybersecurity risks and vulnerabilities but failed to take appropriate action.
According to the SEC, SolarWinds and Brown’s alleged misconduct would have violated federal securities laws even without the cyberattack.
However, the attack exposed the severity of the violations.
SolarWinds’ president and CEO, Sudhakar Ramakrishna, responded to the SEC’s charges, stating that the company had maintained proper cybersecurity controls before the incident and has since improved its security measures.
SolarWinds settled a class-action lawsuit last year for $26 million, but a similar case brought by investors in Delaware was dismissed by the state’s Supreme Court.
Both SolarWinds and Brown assert their commitment to defending themselves against the SEC’s charges, with Brown’s lawyer emphasizing his dedication and integrity in performing his role as CISO.
Link: https://www.scmagazine.com/news/sec-charges-solarwinds-ciso-with-fraud-in-2020-supply-chain-attacks