Risk & Repeat: Breaking down SEC charges against SolarWinds

The U.S. Securities and Exchange Commission's charges against IT management vendor SolarWinds and its CISO for allegedly misleading investors raise big questions for the infosec industry.

The charges came nearly three years after it was revealed that SolarWinds customers, including tech giants and the U.S. government, were compromised by a supply chain attack resulting from an Orion software update that attackers poisoned with a malicious implant. This week, the SEC brought charges against SolarWinds and its CISO Timothy Brown with fraud and internal security control failures.

In a press release announcing the charges, the SEC alleged that, from at least October 2018 until at least the December 2020 breach disclosure, "SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks."

"In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time," the press release read.

The commission also claimed that employees, including Brown, questioned SolarWinds' ability to protect its critical assets from cyber attacks and accused Brown of being aware of the company's risks but failing "to resolve the issues or, at times, sufficiently raise them further within the company."

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the SEC charges brought against SolarWinds and Brown, what it could mean for other CISOs and how it may shift the regulatory landscape.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.