The US Securities and Exchange Commission (SEC) has accused Texas-based software company SolarWinds and its chief information security officer, Timothy Brown of misleading investors about its cybersecurity practices and known risks before the massive 2020 SolarWinds supply chain hack.

The company is charged with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

The SEC alleges that SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and lied to them by “disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

The regulator also found that the company’s public statements were at odds with its internal assessments, including a 2018 presentation that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late.”

In addition, multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. However, Brown failed to resolve the issues, the SEC said.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The two-year-long cyberattack, dubbed ‘Sunburst,’ came to light in December 2020 and involved hackers obtaining access to networks of multiple private and government agencies, including the US Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy, through a compromised update to SolarWinds' Orion network monitoring software. The campaign is believed to have been orchestrated by APT29, the Russian Foreign Intelligence Service (SVR) hacking unit.

A statement from SolarWinds:

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments."