The U.S. Securities and Exchange Commission (SEC) has filed a fraud suit against SolarWinds and its chief information security officer (CISO), alleging they made false statements regarding the company’s security practices and a security incident.
The crux of the claims is that the company and its CISO misrepresented company practices regarding the adoption of the NIST Cybersecurity Framework, implementation of a secure development lifecycle for products and password and access controls.
The SEC also alleges that SolarWinds lacked required disclosure controls and procedures, which allegedly resulted in the company making false statements regarding a 2020 security event.
Here are three things companies should consider doing in light of the SEC’s suit against Solar Winds:
1. Review disclosures and public statements regarding cybersecurity practices.
- The SEC’s claims suggest its willingness to closely scrutinize the precision and breadth of security-related statements.
- As businesses know, these statements are particularly difficult to draft as cybersecurity is a process of continuous improvement in the face of rapidly evolving infrastructure, threats, attacker tactics, zero-day vulnerabilities and exploits. Put simply, what organizations believe they have locked down today may be revealed as unsecured tomorrow through no fault of the organization itself.
- Businesses should consider reviewing existing disclosures and public statements regarding cybersecurity practices against, at a minimum, their most recent internal and external cybersecurity assessments and executive cybersecurity updates. The goal? Identifying any statements that may be unnecessary, overbroad or out-of-date.
2. Prepare for new rules.
- The recently finalized SEC Cybersecurity Disclosure Rules will make it more difficult to carefully scrutinize security statements as the rules require companies to provide more detailed cybersecurity disclosures.
- When preparing disclosures to comply with the new rules, organizations should balance the value and necessity of additional disclosures against added risk of liability.
3. Assess disclosure controls and procedures.
- All of the SEC’s cybersecurity enforcement actions, including this litigation, include a claim related to inadequate disclosure controls and procedures, primarily for deficient processes to escalate incidents to management.
- Companies should consider implementing or updating incident response plans with a severity matrix based on objective criteria for incident severity, which feeds into and/or triggers a documented process for escalating incidents to management based on severity.
- For incidents of a predetermined severity, that escalation process should incorporate a disclosure review. Companies should also consider implementing specific cybersecurity disclosure controls and procedures to guide the company’s analysis of materiality of cybersecurity incidents and risks more generally.
The SEC Investigation Dates to SolarWinds’ Handling of a 2020 Cyberattack
On December 14, 2020, SolarWinds filed a Form 8-K stating that the company had been informed of a vulnerability in its Orion Software Platform resulting from a cyberattack. It was later reported that a Russian state-sponsored actor compromised SolarWinds’ systems and used that access to create a vulnerability in Orion code the actor could exploit on Orion customer systems. This was known as the SUNBURST incident.
SolarWinds disclosed this year that the company and several of its executives had received notices indicating they were the targets of an ongoing SEC investigation into the company’s handling of the incident.
On October 30, the SEC filed a civil action against the company and its CISO, alleging they made a variety of false statements prior to and following the SUNBURST incident and that the company had inadequate accounting and disclosure controls.
The SEC Alleges SolarWinds Made False Statements on its Website and in Registration Statements
The SEC alleges that SolarWinds made false statements in a Security Statement on SolarWinds’ website as well as in SolarWinds’ Form 10-K, 10-Q, S-1 and S-3 Registration Statements. The action against the CISO is premised on his name and photo appearing on the Security Statement and his sub-certifications of the registration statements.
- Security Statement: The SEC alleges SolarWinds and the CISO knowingly made false claims in the Security Statement that SolarWinds:
- Follows the NIST Cybersecurity Framework (CSF) when internal assessments identified that the majority of the CSF controls were not in place.
- Had a secure development lifecycle following standard security practices when internal assessments identified that the company was only starting to implement secure development practices.
- Had a strong password policy covering all systems when there were many systems with default passwords or simple passwords or where passwords were stored in plain text.
- Maintained strong access controls to sensitive data when administrator rights actually were widespread, controls were not in place to enforce the principle of least privilege, and vulnerabilities were identified in the company’s virtual private network.
- Registration Statements: The SEC alleges that SolarWinds included only generic and hypothetical statements about cybersecurity risk that did not alert investors to the elevated risks at SolarWinds based on the deficiencies above.
- SUNBURST Event 8-K: The SEC alleges that SolarWinds filed a Form 8-K following discovery of the SUNBURST event that falsely said the vulnerability “could potentially allow” for compromise, and that the company was still investigating “whether” the vulnerability had been exploited, when SolarWinds allegedly was aware of multiple instances of exploitation.
- Regulators Cited SolarWinds Control Deficiencies
- The SEC alleges that while the company purported to use the NIST CSF to satisfy portions of its accounting controls, as noted above, these controls were not in place.
- The SEC also alleges that the above deficiencies demonstrate that SolarWinds did not have sufficient controls to protect its critical assets, including the Orion product.
- Lastly, the SEC alleges that SolarWinds had inadequate disclosure controls and procedures because the company’s incident response plan only required escalation to management of incidents where multiple customers were affected, and there were other ways for incidents to be material. The SEC specifically points to the company’s alleged failure to disclose an attack on its VPN as well as the compromise of two customers during SUNBURST.