At the end of October, the SEC announced fraud charges against SolarWinds and its Chief Information Security Officer, Timothy Brown. The charges, which SolarWinds and Brown aim to defend, primarily relate to misleading conduct and disclosures around cybersecurity practices. The case raises questions for CISOs and other assurance providers alike.
In this blog we cover:
- A recap of the 2020 data breach
- The state of SolarWinds’ cybersecurity
- What the case is about
- Who can be held responsible
- Relationship with new disclosure rules
- Key takeaways and actions
Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
The 2020 SolarWinds breach
You may have been hiding under a rock if you haven’t heard about the breach, but let’s do a quick recap. SolarWinds sells network monitoring software and boasts nearly 100% penetration of the Fortune 500. Its flagship Orion product, a platform that was breached, accounted for 45% of its revenue.
Threat actors were able to infiltrate SolarWinds environment and were able to modify versions of the Orion product to include malicious code. Versions updated with the malicious code were then issued to around 18,000 customers. This customer base included federal institutions and cybersecurity firms. Approximately 100 of those customers were the target of secondary attacks, enabled by the Orion platform.
The state of SolarWinds cybersecurity
The SEC complaint outlines several poor practices during the relevant period, including some that related to or led to cyber breaches:
- Only 6% of NIST controls had a defined program in place, and 61% had no program or practice in place. The remaining number may have had something in place but required detailed review to validate.
- Password policies were not followed, including on critical systems. One system had a password of ‘solarwinds123’, which not only violated the complexity requirements but was also discovered to be publicly available in clear text
- An internal review for the NIST subcategory of ‘Identification and Authentication’ had zero controls rated as ‘In Place’.
- No Secure Development Lifecycle was in place, despite claims to the contrary.
The complaint also includes employee observations about the poor state of security, including:
- “The products are riddled [with vulnerabilities] and have been for years”
- A presentation sent to Brown with statements that SolarWinds had “No true expertise for security” and that core teams “Do NOT understand security!”
- “We’re so far from being a security-minded company. Every time I hear about our head geeks talking about security I want to throw up”
The complaint is peppered with these unflattering views of SolarWinds’ security position leading up to the breach.
What is the case about?
While the complaint outlines a range of poor cybersecurity practices, SolarWinds and Brown are not being taken to task for the practices themselves, or for the cyber breach itself. It’s not that they had poor practices – it’s that they lied about them. The core of the complaint against the company is that misleading disclosures affected the ability of investors to make informed decisions.
The company issued the same boilerplate statement about cybersecurity risks in 13 different SEC filings over a two-year period. During that time, significant issues were identified and discussed internally that should have shifted the needle. Employees were raising issues, customers were experiencing breaches, and external parties were issuing unflattering reports. The complaint also notes that Brown himself was raising issues internally, but none of these led to updated disclosures.
The SEC says that SolarWind’s disclosure in relation to the 2020 breach – “…[the vulnerability] could potentially allow an attacker to…” – was misleading, as those breaches had already occurred and weren’t potential. The SEC also says that the other disclosures would have breached federal law even if SolarWinds had not suffered a breach. High-impact public cyber incidents will always attract more intense inquiry and make it more likely that such deception will be uncovered.
In a world of whistleblowers, intentional leaks by disenfranchised employees, and third parties who have access to your internal environments, it’s not unreasonable that these types of inconsistencies may be uncovered – and publicly disclosed – in a variety of ways.
Who can be held responsible?
It’s important for CISOs to note that the complaint has been brought against Brown personally, not just SolarWinds. Brown was the key person responsible for the public-facing Security Statement and cybersecurity information in SEC filings – some of which, including the claims about the Secure Development Lifecycle and following the NIST framework, appear to be false. Brown is also accused of personally benefitting from selling shares during the period in which misleading statements were made.
There may also be extensions of liability regarding SolarWinds that are not covered directly by this SEC complaint. Firstly, SolarWinds was assessed under a SOC2 Type 2 certificate in 2019, after the threat actors had already infiltrated the system. It was also ISO 27001 certified at the time.
Assessments by external parties are meant to provide independent assurance to executives and boards. You can’t eliminate risk entirely, and one could argue that some threat actors have significant resources (though the SEC was clear that SolarWinds had basic security gaps), but it raises the question of whether there is any liability for assurance providers and the value of this type of assurance.
It’s also worth noting the increasing liability of other roles in organizations that serve as internal assurance providers, such as the realm of risk, compliance, and audit. We have seen a recent case where the former chief auditor, group risk officer, and executive audit director of Wells Fargo were held personally liable for failures to provide an adequate challenge. These cases suggest that assurance providers can’t turn a blind eye or fail to disclose information that could ultimately affect investors.
Relationship with new disclosure rules
Beyond reporting specific incidents, the SEC disclosure rules issued in August 2023 include a requirement to disclose your approach to cybersecurity management. The rules require you to describe processes for assessing, identifying and managing material risks in sufficient detail for a reasonable investor to understand those processes.
“Sufficient detail” isn’t explained further. If someone has cybersecurity practices today that are similar to how they are portrayed in this complaint, how should these be presented? “We have password policies that are poorly implemented across our products” or even “We have implemented policies but have limited assurance over how well they are managing the risks” might tank your stock price, but it might also invite opportunistic threat actors.
So what is the balance? How can you provide sufficient detail for investors, be sufficiently coy and avoid giving away too much information to threat actors, and ensure any statements aren’t misleading? This will be a challenge for CISOs to wrestle with.
The new rules also expect disclosure of how boards and committees are informed about cybersecurity risks. This case should be making directors ask more pointed questions of CISOs and management teams – not only to ensure their disclosures are accurate but also to reduce the potential for their own personal liability.
Conclusions and next steps for your organization
Here are my key takeaways:
- Make sure disclosures accurately reflect your cybersecurity posture and could not be misconstrued. Ensure those informing the disclosures aren’t incentivized (explicitly or implicitly) to make them look better than they are
- Update disclosures based on new information and changes to your environment (considering this case, we might expect targeted questions about repeated identical disclosures)
- Have a strong Information Security Management System in place, enabling you to make stronger disclosures. It can also enable you to compare disclosures more easily to your posture.
- You know your business better than anyone; don’t rely only on external assurance providers, ensure you have targeted controls and assurance for your most critical processes
If you’d like to know more about how to align your cyber security and enterprise risk management strategies, Protecht's Cyber risk management: The art of prevention, detection and correction eBook is a comprehensive guide that addresses the complex and ever-present challenges of cyber risk in today's digital age. Equip yourself with a holistic understanding of cyber risk management, enabling you to spearhead a proactive approach against ever-evolving digital threats.