SEC charges SolarWinds with fraud in connection to SUNBURST cyberattack
The SEC alleges that SolarWinds and Brown defrauded investors by misrepresenting the company’s cybersecurity practices and understating known cybersecurity risks.
The US Securities and Exchange Commission (SEC) has charged SolarWinds Corporation, a software company based in Austin, Texas, and its Chief Information Security Officer, Timothy G. Brown, with fraud and internal control failures related to cybersecurity risks and the SUNBURST cyberattack.
The SEC alleges that SolarWinds and Brown defrauded investors by misrepresenting the company’s cybersecurity practices and understating known cybersecurity risks from its 2018 IPO to the disclosure of the cyberattack in December 2020. Internal assessments and communications revealed discrepancies between public statements and actual cybersecurity vulnerabilities. Brown, aware of the risks, allegedly failed to address them adequately. SolarWinds’ incomplete disclosure of the SUNBURST attack led to a 25% stock price drop over two days and a 35% drop by the end of December 2020.
The SEC seeks permanent injunctive relief, disgorgement, civil penalties, and an officer and director bar against Brown. The enforcement action emphasises the importance of accurate disclosures and reinforces the SEC’s message to companies to implement strong controls and transparently communicate known concerns to investors.