The SolarWinds cyberattack – the story continues

SEC litigation against SolarWinds and its CISO

On October 30, 2023, the U.S. Securities and Exchange Commission (SEC) filed a litigated complaint against SolarWinds, a software development company, as well as against its Chief Information Security Officer (CISO) personally. This recent case comes against the backdrop of the SolarWinds hack of 2020, where SolarWinds vulnerabilities became central in a sophisticated supply chain attack that impacted over 18,000 organizations globally including U.S. government agencies (also known as the 'Sunburst' attack).

Key allegations by the SEC

The SEC alleges that SolarWinds and its CISO, from October 2018 to January 2021, made materially misleading statements about the company’s cybersecurity practices. Key allegations include:

1. Misleading Security Statements: Inaccurate claims about cybersecurity standards, password policies, access controls and secure development lifecycle practices.
2. Generic and Hypothetical Cybersecurity Risk Statements: Cybersecurity risk statements included in periodic filings were generic and hypothetical, and failed to address known risks.
3. Failure to Disclose Confirmed Attacks: The SEC claims that SolarWinds and its CISO knew of several confirmed attacks against customers, yet still framed the vulnerabilities as hypothetical when disclosing the Sunburst incident.
4. Deficient Cybersecurity Controls and Known Vulnerabilities: Generally, SolarWinds is accused of having deficient cybersecurity controls and failing to address known vulnerabilities, leaving its systems susceptible to attack.

SolarWinds argues that the SEC's lawsuit is fundamentally flawed, both factually and legally, and plan to defend against the charges.

Why this matters to your organization

The principles highlighted in this case are not confined to U.S. companies or those listed on U.S. stock exchanges. The lawsuit signals a significant legal move as a government authority is directly challenging a company for defrauding investors through false cybersecurity assurances. The litigation may incentivize regulatory bodies worldwide to establish similar legal precedents locally, considering that the case comes at a time when regulatory bodies, globally, are ramping up cybersecurity related legislation. Further, cybersecurity is a universal concern, and organizations, regardless of jurisdiction or listing status, can draw valuable insights to reduce their risk exposure.

Key takeaways for your organization:

1. Responsibility of the Board, Senior Executives and CISOs. The litigation underlines the responsibility of boards and senior executives to ensure that cyber related risks are promptly addressed with sufficient resources. The SEC's allegations also emphasize the importance of accurate statements made by CISOs to ensure these reflect the organization's actual cybersecurity challenges.
2. Transparency and Communication: Accurate and transparent communication about your organization's cybersecurity practices is fundamental. Clear disclosures, even if not specifically mandated, contribute to building trust and resilience.
3. Global Cybersecurity Impact: Cyber threats know no borders. The SolarWinds incident serves as a stark reminder of the global nature of cybersecurity challenges, emphasizing the need for robust defenses irrespective of jurisdiction.
4. Proactive Cybersecurity Measures: Adopting a proactive approach to cybersecurity is crucial for organizations worldwide. Regular assessments, updates, and diligence are essential to safeguard your operations. Failure to do so may have consequences both for your organization and for the management personally.
5. Know your exposure: You should know what exposure you organization and your management have both from a regulatory and contractual perspective, and how that exposure may materialize as a result of inadequate cybersecurity processes or lack of transparency.