SEC Charges Against SolarWinds CISO Send Shockwaves Through Security Ranks

  /     /     /  
Publicated : 23/11/2024   Category : security


SEC Charges Against SolarWinds CISO Send Shockwaves Through Security Ranks


The legal actions may have a chilling effect on hiring CISOs, who are already in short supply, but may also expose just how budget-constrained most security executives are.



The Security and Exchange Commission (SEC) has charged SolarWinds Corp., along with its CISO Tim Brown, with fraud and internal control failures related to the 2020 supply chain cyberattack on the companys Orion Platform; ultimately leading to the compromise of US government departments by Russian intelligence.
The charges are already sending shockwaves throughout the CISO community.
At issue, according to the SEC, is the discrepancy between what Brown and other
SolarWinds
employees were saying internally versus what they disclosed to investors.
Internal messages revealed employees were well aware they were misleading customers in the wake of the discovery of the Orion vulnerability, the
SEC explained in its complaint
.
Shortly after the October 2020 attack against Cybersecurity Firm B, SolarWinds employees including Brown recognized similarities between the attack on U.S. Government Agency A, the SEC Complaint said. But when personnel at Cybersecurity Firm B asked SolarWinds employees if they had previously seen similar activity, InfoSec Employee F falsely told Cybersecurity Firm B that they had not. He then messaged a colleague Well, I just lied.
But the failure to put appropriate cybersecurity controls in place at SolarWinds started as far back as 2018, according to the regulator. The SEC alleges Brown was aware of, but ignored, warnings about the companys vulnerabilities, including a 2018 presentation by a SolarWinds engineer that flagged the the companys remote access setup as not very secure, and explained a threat actor could use it to basically do whatever without us detecting it until its too late, the filing said.
By ignoring these warnings about the cybersecurity posture of the company and failing to raise the issue up the chain of command, the SEC alleges Brown willfully left the company systems unprotected.
SolarWinds filed an incomplete 8-K disclosure with the SEC in December 2020 and Brown personally profited from the inflated stock price, according to the charges.
SolarWinds stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint, the SEC said.
The SEC further accused Brown of selling inflated SolarWinds stocks before its value plummeted once the full impact of the compromise became public. Between February 2020 and the end of August 2020, Brown sold 9,000 shares of SolarWinds at a profit of $170,000, according to New York Stock Exchange Records provided by the SEC. By the end of December 2020, SolarWinds stock price dropped by 35%.
Other charges include SolarWinds making materially false and misleading statements about its cybersecurity practices by stating programs like the National Institute of Standards and Technology (NIST) framework were fully in place, when, in fact, they were only partially deployed.
In response, SolarWinds promised a court fight ahead.
We are disappointed by the SECs unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk, a SolarWinds spokesperson said, in a statement provided to Dark Reading. The SECs determination to manufacture a claim against us and our CISO is another example of the agencys overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.
Browns attorney, Alec Koch, similarly pledged a vigorous defense of his client.
Tim Brown has performed his responsibilities at SolarWinds as vice president of information security and later as chief information security officer with diligence, integrity, and distinction, Koch said in a statement. Mr. Brown has worked tirelessly and responsibly to continuously improve the Companys cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SECs complaint.
CISO accountability
is something the cybersecurity community has been watching closely over the past year. The fresh SEC charges against Brown and SolarWinds come on the heels of a judge sentencing Uber CISO Joe Sullivan to three years probation for his role in the coverup of a 2016
data breach at Uber
and promising harsher penalties in the future.
Amtrak CISO Jesse Whaley isnt quite sure how the SolarWinds SEC indictment will impact the CISO role more broadly, just yet.
Its either really good or really bad, Whaley says. This could do more to advance cybersecurity than another decade of breaches.
On the other hand, Whaley wonders if the SEC is really doing the right thing by charging Brown, adding he has questions about why the companys chief financial officer or general counsel werent also named in the indictment.
Jessica Sica, CISO at Weave, worries the move by the SEC to charge Brown will push more people away from the CISO role.
It will likely have a chilling effect, which were already seeing with CISOs leaving their jobs to become field CISOs for vendors, Sica says.
The increasingly acute problem for CISOs, she explains, is that almost none have the resources they need to do their jobs.
I think the main concern is will the SEC and other entities start holding CISOs accountable for breaches that happened from them not getting the resources they need to do the job? Sica asks.
But, she adds, in terms of disclosures, telling the truth is always the smartest move. Dont lie. Dont cover up, and make sure you are remediating the most critical issues that affect your business, Sica advises.
CISOs should also be very careful about statements they issue in the future that might contain overly optimistic language, cybersecurity expert Jake Williams advises.
The CISO often gets roped into signing off on a statement implying the existence of a functioning program, Williams says. Ive even worked with publicly traded companies publicly discussing a program still in the planning stages as if it were fully deployed. In short order, I dont think youll be able to find a CISO to play word games like this.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
SEC Charges Against SolarWinds CISO Send Shockwaves Through Security Ranks