Industry peers of Timothy G. Brown, SolarWinds' chief information security officer, expressed concern in a court filing this month that the Securities and Exchange Commission is trying to hold Brown responsible for public statements from the company that allegedly misled investors about SolarWinds' cybersecurity practices prior to its infamous 2020 cybersecurity breach.
From 2018 to 2020, before he was named CISO and before SolarWinds discovered the Sunburst attack, Brown wrote multiple private memos to company executives and others expressing concern about SolarWinds' cybersecurity posture. He said in October 2018, for example, that the company's "current state of security leaves us in a very vulnerable state for our critical assets."
The SEC claims this shows Brown knew SolarWinds' public statements about its strong security posture were fraudulent. Thirty current and former CISOs, including the CISOs of City National Bank of Florida and Axis Capital, said in
"Liability under these theories empowers threat actors, chills internal communications about cyber-threats, exacerbates the already severe shortage of cybersecurity professionals, and deters collaboration between the private sector and the government," the CISOs said.
In
Far from claiming SolarWinds' cybersecurity practices were sufficient, Brown said while investigating a May 2020 attack on a U.S. government agency that it was "very concerning" that the attacker may have been looking to use SolarWinds' Orion software in larger attacks because "our backends are not that resilient." Indeed, attackers were already exploiting vulnerability in that very software to penetrate multiple other U.S. agencies.
But publicly, SolarWinds touted its security practices in a statement on its website that, the SEC alleged, included multiple false claims about the company's security practices. These statements included that SolarWinds complied with a well-known framework for evaluating cybersecurity practices, used a secure development lifecycle, had strong password protection and maintained good access controls.
The SEC presented evidence that each of these statements were false, and it also alleged Brown was identified as the "owner" or "approver" of the public statements in multiple company documents.
"We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds' cyber risks," said Gurbir Grewal, director of the SEC's division of enforcement, in October. "Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."
With Microsoft, Equifax and others acknowledging that the SolarWinds hack of U.S. government entities had affected their holdings, security teams and vendors have put the holiday aside while continuing around-the-clock surveillance to ensure no financial services or payments networks have been hacked.
Grewal said the lawsuits against Brown and SolarWinds are designed to underscore a message to stock issuers: "Implement strong controls calibrated to your risk environments and level with investors about known concerns."
But for their part, the 30 CISOs who filed this month's brief said the SEC's attempt to "weaponize" Brown's candid evaluations "cannot be reconciled" with the insistence that Brown failed to sufficiently warn senior executives of SolarWinds' vulnerabile state.
Among the other defenses the 30 CISOs who filed this month's brief offered, one is that the SEC's lawsuit against Brown threatens to chill internal discussions and candid self-assessments such as those that Brown offered internally.
"The SEC's action would give CISOs an incentive to refrain from candid communication for fear that an internal email or presentation intended to improve cybersecurity measures will be taken out of context by the SEC to claim that a CISO deliberately misled investors," the brief read.
Attorneys for Brown and SolarWinds said last month in
"Brown is not even alleged to have played a role in the company's risk factor disclosures, and there is no conduct alleged remotely suggesting that he ever sought to deceive investors," the motion to dismiss reads. "The SEC also fails to articulate any coherent theory of aiding-and-abetting liability against Brown."
