Cyber risk - don’t gloss over it: SEC targets SolarWinds Corp and CISO over cybersecurity weakness
In a statement released this week the US Securities and Exchange Commission (SEC) confirmed that it has announced charges against SolarWinds Corp as well as its chief information security officer (CISO).
The allegations levied by the SEC relate to the alleged overstating of the company’s cybersecurity posture, or failure to disclose cybersecurity risks that were within the company’s knowledge. The SEC says that the company misled investors by disclosing only generic and hypothetical risks instead of specific, known deficiencies as well as the elevated risk faced by the company. These failings, says the SEC, amount to fraud and internal control failures around cybersecurity risks and vulnerabilities.
If you hadn’t heard, SolarWinds was subject to a serious cyber-espionage attack in 2019 affecting its Orion IT system management platform – known as the Sunburst attack. The attack was described by the Cybersecurity & Infrastructure Security Agency (CISA) as posing a “grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
SolarWinds had its IPO in October 2018, and the SEC has taken issue with SolarWinds’s public statements about its cybersecurity practices, which the SEC describes as being “at odds” with its internal assessments.
CyXcel's Principal Associate Jack Horlock discusses the important case.