The US SEC has announced charges against SolarWinds and its Chief Information Security Officer, Timothy Brown. The charges, which SolarWinds and Brown aim to defend, primarily relate to misleading conduct and disclosures around cybersecurity practices. The case raises questions for CISOs and other assurance providers alike.
In this blog we cover:
- A recap of the 2020 data breach
- The state of SolarWinds’ cybersecurity
- What the case is about
- Who can be held responsible
- Relationship with new disclosure rules
- Key take-aways and actions
Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
The 2020 SolarWinds breach
You may have been hiding under a rock if you haven’t heard about the breach, but let’s do a quick recap. SolarWinds sell network monitoring software and boasted nearly 100% penetration of the Fortune 500. Its flagship Orion product, a platform that was breached, accounted for 45% of its revenue.
Threat actors were able to infiltrate SolarWinds environment and were able to modify versions of the Orion product to include malicious code. Versions updated with the malicious code were then issued to around 18,000 customers. This customer base included federal institutions and cybersecurity firms. Approximately 100 of those customers were the target of secondary attacks, enabled by the Orion platform.
The state of SolarWinds cybersecurity
The SEC complaint outlines several poor practices during the relevant period, including some that related to or led to cyber breaches:
- Only 6% of NIST controls had a defined program in place, and 61% had no program or practice in place. The remaining number may have had something in place but required detailed review to validate.
- Password policies were not followed, including on critical systems. One system had a password of ‘solarwinds123’, which not only violated the complexity requirements, but was also discovered to be publicly available in clear text
- An internal review for the NIST subcategory of ‘Identification and Authentication’ had zero controls rated as ‘In Place’.
- No Secure Development Lifecycle was in place, despite claims to the contrary.
The complaint also includes employee observations about the poor state of security, including:
- “The products are riddled [with vulnerabilities] and have been for years”
- A presentation sent to Brown with statements that SolarWinds had “No true expertise for security” and that core teams “Do NOT understand security!”
- “We’re so far from being a security minded company. Every time I hear about our head geeks talking about security I want to throw up”
The complaint is peppered with these unflattering views of SolarWinds’ security position leading up to the breach.
What is the case about?
While the complaint outlines a range of poor cybersecurity practices, SolarWinds and Brown are not being taken to task for the practices themselves, or for the cyber breach itself. It’s not that they had poor practices – it’s that they lied about them. The core of the complaint against the company is that misleading disclosures affected the ability for investors to make informed decisions.
The company issued the same boilerplate statement about cybersecurity risks in 13 different SEC filings over a two-year period. During that time, significant issues were identified and discussed internally that should have shifted the needle. Employees were raising issues, customers were experiencing breaches, and external parties were issuing unflattering reports. The complaint also notes that Brown himself was raising issues internally, but none of these led to updated disclosures.
The SEC says that SolarWind’s disclosure in relation to the 2020 breach – “…[the vulnerability] could potentially allow an attacker to…” – was misleading, as those breaches had already occurred and weren’t potential. The SEC also says that the other disclosures would have breached federal law even if SolarWinds had not suffered a breach. High impact public cyber incidents will always attract more intense inquiry and make it more likely that such deception is uncovered. In a world of whistleblowers, intentional leaks by disenfranchised employees, and third parties who have access to your internal environments, it’s not unreasonable that these types of inconsistencies may be uncovered – and publicly disclosed - in a variety of ways.
Who can be held responsible?
It’s important for CISOs to note that the complaint has been brought against Brown personally, not just SolarWinds. Brown was the key person responsible for the public-facing Security Statement and cybersecurity information in SEC filings – some of which, including the claims about Secure Development Lifecycle and following the NIST framework, appear to be false. Brown is also accused of personally benefitting from selling shares during the period in which misleading statements were made.
There may also be extensions of liability regarding SolarWinds that are not covered directly by this SEC complaint. Firstly, SolarWinds was assessed under a SOC2 Type 2 certificate in 2019, after the threat actors had already infiltrated the system. It was also ISO 27001 certified at the time. Assessments by external parties are meant to provide independent assurance to executives and boards. You can’t eliminate risk entirely, and one could argue that some threat actors have significant resources (though the SEC was clear that SolarWinds had basic security gaps), but it raises the question of whether there is any liability for assurance providers, and the value of this type of assurance.
It’s also worth noting the increasing liability of other roles in organisations who serve as internal assurance providers, such as the realm of risk, compliance, and audit. We have seen a recent case where the former chief auditor, group risk officer and executive audit director of Wells Fargo were held personally liable for failures to provide adequate challenge. These cases suggest that assurance providers can’t turn a blind eye or fail to disclose information that could ultimately affect investors.
What does this mean for UK business?
Financial services businesses in the UK that come under the FCA/PRA regulatory regime are already held to strict Operational Resilience and Consumer Duty requirements. These can include personal liability for responsible executives, as TSB Bank’s former CIO discovered in April 2023 after a failed IT migration project led to severe customer harms.
While the focus of these rules is more on management than disclosure, companies’ obligations require disclosures that a reasonable person would expect to have a material effect on the valuation.
More specific draft regulations that would have required UK businesses to have a Resilience Statement disclosing cyber risks and how they were being managed were withdrawn in October 2023. However, the government says that it remains committed to broader corporate governance reform, including research on cybersecurity disclosures in company annual reports.
Given the ever-present nature of cyber and its impact across supply chains, it may be a matter of time before these types of disclosures become more standardised. More importantly, misleading disclosures may expose directors to personal liability, cyber security related or otherwise.
Conclusions and next steps for your organisation
Here are my key take-aways:
- Make sure disclosures accurately reflect your cybersecurity posture and could not be misconstrued. Ensure those informing the disclosures aren’t incentivised (explicitly or implicitly) to make them look better than they are
- Update disclosures based on new information and changes to your environment (considering this case, we might expect targeted questions about repeated identical disclosures)
- Have a strong Information Security Management System in place, enabling you to make stronger disclosures. It can also enable you to compare disclosures more easily to your posture.
- You know your business better than anyone; don’t rely only on external assurance providers, ensure you have targeted controls and assurance for your most critical processes
If you’d like to know more about how to align your cyber security and enterprise risk management strategies, Protecht's Cyber risk management: The art of prevention, detection and correction is a comprehensive guide that addresses the complex and ever-present challenges of cyber risk in today's digital age. Equip yourself with a holistic understanding of cyber risk management, enabling you to spearhead a proactive approach against ever-evolving digital threats.