[co-author: Sam Finkelstein]*

The U.S. Securities and Exchange Commission has a message for publicly-traded companies that suffer a data breach: own up.

On Monday, the SEC sued Texas-based SolarWinds––and its Chief Information Security Officer (“CISO”)––for defrauding investors by allegedly failing to disclose known security risks in public filings. This marks the SEC’s first ever enforcement action against an individual corporate officer over their mishandling of a data breach––but it is unlikely to be the last.

SolarWinds is a data management company that develops software to help businesses operate their IT systems securely––at least, in theory. As recently as December of 2020, SolarWinds boasted an estimated 300,000 customers, including state and federal agencies and most Fortune 500 companies. The firm’s flagship Orion platform achieved a dominant position in the network management space, to such an extent that SolarWinds’ CEO ominously proclaimed in October of 2020 that “we manage everyone’s network gear.” This mix of high-profile clientele and abysmal internal controls combined to make SolarWinds an ideal “weak link” in the software supply chain––and this did not go unnoticed.

SolarWinds’ Catastrophic Data Breach

News of SolarWinds’ systems being breached first broke in December of 2020, but the world has since learned that SolarWinds’ troubles date back to October of 2018. Around that time, the firm was targeted by hackers identified as agents of Russia’s foreign intelligence service, known as the SVR. Due to SolarWinds’ poor security infrastructure, the SVR was able to insert malware into updates to the Orion platform, that were then pushed out to more than 18,000 customers. The fact that only a small fraction of Orion users were affected was intentional; the SVR targeted SolarWinds’ most high-profile customers with surgical precision.

From approximately October of 2018 until December of 2020, the SVR exploited SolarWinds’ systems in an attack widely regarded as the worst cybersecurity breach in U.S. history­­––if not world history. Using SolarWinds’ Orion platform as a vector, the SVR was able to target other cybersecurity companies that used Orion, as well as state and federal agencies in the United States. As alleged in the SEC complaint, SolarWinds’ initial disclosures of the breach were incomplete, knowingly understating how severe and widespread the incident truly was.

SolarWinds & its CISO Charged with Defrauding Investors by Downplaying Known Risks

In public statements, SolarWinds claimed to be an industry leader in cybersecurity. These claims helped SolarWinds win the confidence of major U.S. companies and government agencies, which entrusted the firm with their IT systems. But behind the scenes, SolarWinds––up to and including its CISO––spoke openly about critical security defects in its software that went unfixed for years.

The SEC complaint offers a look behind the scenes at SolarWinds during this period, and it is not pretty. For more than two years, from its 2018 initial public offering until its disclosure of the breach, SolarWinds employees and executives openly discussed how its software was riddled with serious vulnerabilities that would enable an exploiter to “basically do whatever without us detecting it until it’s too late.” Their public-facing statements told a very different story.

As alleged, senior personnel at SolarWinds ignored red flags and knowingly placed its clients––including federal and state agencies and many of America’s largest companies––at risk. The complaint specifically cites internal comments made by SolarWinds CISO Timothy G. Brown, who opined privately about the firm’s security issues and how vulnerable these issues left SolarWinds and its customers. Brown also gave internal presentations in 2018 and 2019 outlining the same concerns––concerns that were conspicuously absent from their communications with investors during the same period.

Rather than proactively remediating security issues that they knew placed their clients’ and the United States’ security at risk, SolarWinds and its CISO chose to mislead investors for years by overstating its cybersecurity practices and failing to disclose serious risks that were well known within the company, even at its highest levels. Simply stated, they sat on their hands and allowed the worst cybersecurity breach in history to go on for years in order to protect SolarWinds’ stock price. In some sense, their intuition was correct; the day that SolarWinds finally came clean with its (albeit incomplete) disclosure of the breach, its stock price plummeted by ~25%.

Is Your Company Prepared for the Future of Cyber Enforcement?

The SEC’s complaint marks a new era for cyber enforcement––it represents the first ever charge against an individual corporate officer for their role in the mishandling of a data breach. SolarWinds executives were quick to lay the blame on an unnamed “intern,” who purportedly set a critical password as “solarwinds123.” However, the SEC’s complaint should clarify where fault truly lies; SolarWinds’ supposed “intern” is not a defendant––the company and its CISO are.

Earlier this year, the SEC adopted new rules requiring public companies to disclose material cybersecurity incidents and issue an annual report detailing their cybersecurity risk management, strategy, and governance. If (or when) a cybersecurity breach occurs, these rules mandate that registrants disclose any breach they deem “material” within four business days of its discovery. The SEC’s unprecedented move against SolarWinds and its CISO should motivate compliance professionals and their cybersecurity partners to proactively evaluate internal processes and ensure that their companies are both (1) protected against cybersecurity incidents; and (2) prepared to respond in a manner consistent with the SEC’s new cybersecurity disclosure rules in the event that a breach occurs. To those unfortunates who fail to take notice: buckle up.

*Associate