Cybersecurity Firm Becomes Victim of Its Lies
Cybersecurity has become a critical issue in recent years. Hackers have attacked firms and even government agencies seemingly everywhere. The hacks raise a variety of issues ranging from disclosure to privacy. As the attacks continue a new industry has risen to assist firms in protecting themselves from such attacks.
The last thing a firm that is not prepared for, or which has been attacked needs, is to discover the company it retained to assist in such an emergency is less than fully prepared to assist, or worse. The Commission’s most recent action in the area centers on the this issue, SEC v. Solarwinds Corp., Civil Action No. 1:23-cv-09518 (S.D.N.Y. Filed October 30, 2023).
Defendant Solar Winds, based in Austin, Texas, was created in 1999, conducted an IPO in 2009, went private in 2016 and two years later went public again. The firm claims to be skilled in the area of cybersecurity. Defendant Timothy Brown is a vice president at the company. The fim has a range of clients from companies to government agencies. Each retains the firm for its presumed expertise in the cybersecurity area.
The true level of the firm’s expertise was revealed its Form 8-K filing made on December 14, 2020. There the company disclosed its network monitoring software contained malicious code that had been inserted there by threat actors as part of a supply-chain attack. The filing failed to disclose that the vulnerability which permitted Solar Winds to be successfully attacked was used to attack and harm company customers and a U.S. Government Agency six months earlier.
The attack on Solar Winds follows years in which the company and Mr. Brown provided software that numerous companies and government agencies relied on to manage their information technology infrastructure. Yet the statements by Defendants about that software were based on misstatements made by Defendants about its capabilities. For example, the company claimed that its software products were created in a secure development lifecycle that follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments. This claim, and many others, is false.
The false statements made by the company also concealed a number of poor cybersecurity practice of Solar Wind. Those included a failure to consistently maintain a secure development lifecycle for software developed by the firm, a failure to enforce the use of strong passwords on all systems and the failure to remedy access control issues which persisted for years. The filings made by the company with the Commission aided the concealment of Solar Wind’s deficiencies by containing general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside natural disasters, fires, power losses and telecommunication losses.
Mr. Brown and others at the firm knew about, and participated in, the publication of these and other misleading statements. This point is illustrated by a series of internal communications which contradict public statements made by the company. For example, in a January 2018 email senior managers admitted that the discussion by the firm about its Secure Development Lifecycle article is false.
In the end, the company apparently became a victim of its own deception when it was attacked and damaged. The complaint alleges violations of Securities Act Section 17(a) and Exchange Act Sections 10(b), 13(b)(2)(B) and certain related rules. The case is pending. See Lit. Rel. No. 25887 (October 31 2023).
Cybersecurity Firm Becomes Victim of Its Lies
Cybersecurity has become a critical issue in recent years. Hackers have attacked firms and even government agencies seemingly everywhere. The hacks raise a variety of issues ranging from disclosure to privacy. As the attacks continue a new industry has risen to assist firms in protecting themselves from such attacks.
The last thing a firm that is not prepared for, or which has been attacked needs, is to discover the company it retained to assist in such an emergency is less than fully prepared to assist, or worse. The Commission’s most recent action in the area centers on the this issue, SEC v. Solarwinds Corp., Civil Action No. 1:23-cv-09518 (S.D.N.Y. Filed October 30, 2023).
Defendant Solar Winds, based in Austin, Texas, was created in 1999, conducted an IPO in 2009, went private in 2016 and two years later went public again. The firm claims to be skilled in the area of cybersecurity. Defendant Timothy Brown is a vice president at the company. The fim has a range of clients from companies to government agencies. Each retains the firm for its presumed expertise in the cybersecurity area.
The true level of the firm’s expertise was revealed its Form 8-K filing made on December 14, 2020. There the company disclosed its network monitoring software contained malicious code that had been inserted there by threat actors as part of a supply-chain attack. The filing failed to disclose that the vulnerability which permitted Solar Winds to be successfully attacked was used to attack and harm company customers and a U.S. Government Agency six months earlier.
The attack on Solar Winds follows years in which the company and Mr. Brown provided software that numerous companies and government agencies relied on to manage their information technology infrastructure. Yet the statements by Defendants about that software were based on misstatements made by Defendants about its capabilities. For example, the company claimed that its software products were created in a secure development lifecycle that follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments. This claim, and many others, is false.
The false statements made by the company also concealed a number of poor cybersecurity practice of Solar Wind. Those included a failure to consistently maintain a secure development lifecycle for software developed by the firm, a failure to enforce the use of strong passwords on all systems and the failure to remedy access control issues which persisted for years. The filings made by the company with the Commission aided the concealment of Solar Wind’s deficiencies by containing general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside natural disasters, fires, power losses and telecommunication losses.
Mr. Brown and others at the firm knew about, and participated in, the publication of these and other misleading statements. This point is illustrated by a series of internal communications which contradict public statements made by the company. For example, in a January 2018 email senior managers admitted that the discussion by the firm about its Secure Development Lifecycle article is false.
In the end, the company apparently became a victim of its own deception when it was attacked and damaged. The complaint alleges violations of Securities Act Section 17(a) and Exchange Act Sections 10(b), 13(b)(2)(B) and certain related rules. The case is pending. See Lit. Rel. No. 25887 (October 31 2023).