The SEC has announced charges against the company and its Chief Information Security Officer.
The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
SolarWinds has countered the charges by claiming that being open and honest about their weakneses, executives telling truth to the street if you will, would undermine national security.
This SEC action may not get rid of all fraudsters posing as CISO in so many places — those who expect C-level pay with no real qualifications or responsibility — but it’s a start.
Related: SolarWinds is a Dust Bowl Disaster of Modern Computing