If you are in a hurry -> Lessons and Actionable Advice for CISOs and Security Leaders

Introduction

In late 2023, the U.S. Securities and Exchange Commission (SEC) took the unprecedented step of charging SolarWinds – an IT management software company – and its Chief Information Security Officer (CISO) in connection with the infamous 2020 “Sunburst” breach (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).

The SEC’s complaint alleges that SolarWinds and its then-CISO defrauded investors by presenting an overly rosy picture of the company’s cybersecurity posture while concealing pervasive security failings and risks (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

This blog-style analysis breaks down the SEC’s case (SEC v. SolarWinds Corp. and Timothy G. Brown, No. 1:23-cv-9518) and draws out key lessons for CISOs and security leaders on how to avoid such breaches – and the lawsuits that follow.

Background: The SolarWinds Breach and SEC Action

SolarWinds Corp. is an Austin, Texas-based software company whose products (notably the Orion IT monitoring platform) are used by thousands of enterprises and government agencies worldwide (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).

In December 2020, SolarWinds disclosed that it had been the target of a massive, nearly two-year cyber-espionage campaign. Attackers – later attributed to a Russian state actor – had inserted malware into routine Orion software updates, a supply-chain attack now known as “Sunburst” (SolarWinds Corporation and Timothy G. Brown) (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn).

The tainted updates were downloaded by thousands of customers, enabling the attackers to penetrate numerous government and private networks in one of the most extensive cyber-attacks on record (SolarWinds Corporation and Timothy G. Brown) (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn).

SolarWinds’ stock price plummeted (down ~25% in two days and ~35% by end of December 2020) after the breach came to light (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

In October 2023, the SEC filed a civil enforcement lawsuit (Complaint No. 2023-227) against SolarWinds and its CISO, Timothy Brown (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

The prosecuting agency – the SEC’s Enforcement Division – alleges that from SolarWinds’ October 2018 initial public offering (IPO) through the December 2020 Sunburst disclosure, the company and Brown misled investors about cybersecurity deliberately.

This marks the first time the SEC has brought cybersecurity fraud charges against an individual corporate officer (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP), signaling regulators’ growing focus on executive accountability for cyber risks.

SolarWinds and Brown have publicly denied the allegations, calling the SEC’s action “misguided,” and the litigation is ongoing (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).

The SEC Complaint: Fraud and Control Violations

Prosecuting Entity: U.S. Securities and Exchange Commission (SEC).

The complaint was filed in U.S. District Court (Southern District of New York) on October 30, 2023 (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

Company and Individuals Charged: SolarWinds Corporation and Timothy G. Brown (SolarWinds’ Vice President of Security Architecture, effectively the CISO) (SolarWinds Corporation and Timothy G. Brown). Both the company and Brown are named as defendants.

Types of Claims: The SEC’s charges include violations of federal securities fraud provisions and failures in corporate controls. Specifically, the SEC alleges violations of the anti-fraud sections of the Securities Act of 1933 and the Securities Exchange Act of 1934, meaning SolarWinds and Brown are accused of making material misstatements and engaging in deceptive schemes (i.e. securities fraud) (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

In addition, SolarWinds alone is accused of violating reporting and internal control provisions of the Exchange Act – essentially, that it failed to maintain effective internal controls and made false/incomplete filings (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

Brown is further charged with aiding and abetting the company’s violations, given his role in certifying and communicating the false information (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

These claims range from intentional fraud (scienter-based deception) to negligence-based failures to meet reporting obligations.

In summary, the SEC contends SolarWinds and its CISO knowingly overstated the company’s cybersecurity measures and hid known deficiencies, thereby deceiving shareholders and violating securities laws (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

Allegations: Misleading Security Claims vs. Reality

At the heart of the SEC’s case are detailed allegations that SolarWinds’ public representations about its cybersecurity were materially false or misleading when compared to internal realities. Key claims include:

• Overstating Security Practices: SolarWinds published a “Security Statement” on its website throughout 2018–2020 touting its robust cybersecurity program (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). For example, this statement claimed the company followed a “Secure Development Lifecycle” (SDL) with industry-standard practices (vulnerability testing, penetration testing, etc.), enforced a strong enterprise password policy, and maintained strict “need-to-know/least privilege” access controls (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). According to the SEC, all of these claims were false (SolarWinds Corporation and Timothy G. Brown). Internally, SolarWinds did not consistently adhere to an SDL for its software development (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP); it failed to enforce complex passwords across systems, even allowing trivial or default passwords to persist; and it had years-long, unremedied access control weaknesses such as shared credentials and excessive administrative access (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).

• Ignoring Known Security Gaps: The complaint reveals a trove of internal communications acknowledging serious cyber vulnerabilities that went unaddressed. For instance, a 2018 internal presentation (the same month as the IPO) by a SolarWinds engineer warned that the company’s remote-access VPN setup was “not very secure” – an attacker could “basically do whatever without us detecting it until it’s too late,” risking “major reputation and financial loss” (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ). In another 2018 slide deck, Brown himself noted the “current state of security leaves us in a very vulnerable state for our critical assets” (SolarWinds Corporation and Timothy G. Brown) (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ). An August 2019 presentation bluntly stated that “access and privilege to critical systems/data is inappropriate” (SolarWinds Corporation and Timothy G. Brown) (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ). By 2020, internal emails and risk reports grew dire: in June 2020, investigating a customer’s hack, Brown wrote it was “very concerning” attackers might exploit SolarWinds’ software because “our backends are not that resilient” (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ). A September 2020 internal document warned that “the volume of security issues being identified... [had] outstripped the capacity of Engineering teams to resolve”, highlighting significant unpatched vulnerabilities (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ). These red flags – ranging from out-of-control admin privileges to a known VPN vulnerability that wasn’t fixed – were well-known inside SolarWinds (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Yet, as the SEC alleges, SolarWinds took insufficient action and certainly did not disclose these issues to investors (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ). One frustrated employee even remarked, “We’re so far from being a security-minded company”, capturing the internal sentiment (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

• Generic Risk Disclosures (Omissions): In its SEC filings (registration statements, 10-Ks, etc.), SolarWinds did mention cybersecurity risk – but only in generic boilerplate terms. The company lumped cyberattacks in with general risks like natural disasters or outages, framed only as hypothetical possibilities (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). Nowhere did those public filings acknowledge the very real, specific security problems management knew about. For example, SolarWinds’ filings warned it might be unable to defend against “unanticipated” attacks, but failed to mention that known weaknesses were already leaving it exposed to anticipated threats (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). These omissions made the disclosures materially misleading, according to the SEC, because investors were not told that the company had already determined it wasn’t taking adequate steps to guard against likely attacks (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). In effect, SolarWinds kept repeating “everything might go wrong” boilerplate while internally “everything is going wrong” was closer to the truth.

• Delayed and Misleading Breach Disclosure: Even when the Sunburst attack was discovered in December 2020, the SEC says SolarWinds did not come clean. On December 14, 2020, the company filed a Form 8-K announcing it had “been made aware of a cyberattack” that inserted a vulnerability into Orion software “which, if present and activated, could potentially allow an attacker to compromise the server” (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). The SEC emphasizes the phrasing misleadingly framed the issue as a mere potential risk, when in reality SolarWinds already knew that this vulnerability had been exploited – attackers had compromised at least three customer systems via Orion (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). By couching an active breach as a hypothetical possibility, SolarWinds again understated known facts in a key investor disclosure. This incomplete 8-K coincided with the sharp stock drop and drew immediate scrutiny (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

  
  

In short, the SEC’s detailed claims portray a company that knew its cybersecurity was deficient and under active threat, yet publicly boasted of strong security and reported only abstract risks. This dichotomy forms the basis of alleged securities fraud (investors were misled by false assurances) and alleged negligence in governance (failure to fix or fess up to problems).

Technical and Security Failings Highlighted

Several specific technical failings were cited as evidence of SolarWinds’ poor cybersecurity practices during the period in question:

• Lack of Secure Development Lifecycle (SDL): Despite telling investors it followed a rigorous secure development process, SolarWinds did not consistently apply SDL principles to its software, including its flagship Orion platform (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Internal discussions from 2018 show leadership recognized they hadn’t implemented SDL and only planned to “begin incorporating the SDL” into development going forward (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). In other words, secure coding practices were absent or ad-hoc for years, even as the company claimed otherwise.

• Weak Password Practices: SolarWinds’ public Security Statement asserted that a strong password policy was enforced company-wide (with complex passwords, regular changes, and individual hashing/salting) (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). The reality was very different. Default and weak passwords abounded. For example, an internal audit in April 2018 found critical systems using shared “legacy” credentials and even instances where the default password was literally “password” – which a senior security manager admitted is a “poor security practice” (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). The same audit found some database passwords stored in plain text in configuration files and system registries, directly contradicting the claim that all passwords were encrypted and salted (SolarWinds Corporation and Timothy G. Brown). These password problems were flagged repeatedly (in 2017, 2018, 2019 audits) but persisted for years (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). In short, SolarWinds often failed to follow its own password policy, undermining a fundamental security control.

• Inadequate Access Controls: The SEC alleges SolarWinds failed to restrict access on a “need-to-know/least privilege” basis despite claiming to do so (SolarWinds Corporation and Timothy G. Brown). Internal reports highlighted “significant deficiencies” in access controls, such as widespread use of administrator privileges where inappropriate (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). One cited issue was a VPN setup that allowed broad remote access from unmanaged devices – described by an engineer as so insecure that an intruder could “do whatever” without detection (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ). These kinds of access control gaps were not remediated promptly, remaining open for exploitation. Excessive privileges and unsegmented networks likely magnified the impact of the breach once attackers got in.

• Unpatched Vulnerabilities & Incident Response Gaps: SolarWinds was aware of numerous vulnerabilities in its software and even observed attackers targeting its products before Sunburst. In 2019-2020, at least two cybersecurity firms and a U.S. government agency suffered breaches traced to SolarWinds software, and by fall 2020 SolarWinds knew of eight new high-risk flaws in its platform (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). These warning signs were effectively ignored. The SEC notes SolarWinds had no effective process to ensure such critical information was escalated and addressed – indicating a breakdown in patch management and incident response. Indeed, it was a SolarWinds customer (cyber firm FireEye) that finally discovered the malicious code in Orion, not SolarWinds’ own monitoring (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Weak logging and detection capabilities meant the company was blind to ongoing attacks in its infrastructure.

• False Sense of NIST Framework Compliance: SolarWinds also implied it aligned with the NIST Cybersecurity Framework, giving stakeholders comfort that it followed best practices. In truth, the SEC says the company “had no program/practice in place for the majority of [NIST] controls” – a stark discrepancy (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Claiming adherence to well-known frameworks without actual implementation is especially misleading to investors and customers who rely on such representations.

  
  

In aggregate, these technical failings created an environment ripe for compromise. More importantly for the SEC’s case, the company’s failure to disclose or correct these issues – while simultaneously assuring everyone that security was a priority – is viewed as a material deception.

Internal Control and Governance Failures

Beyond the technical issues, the SEC complaint paints a picture of governance breakdowns at SolarWinds that allowed these problems (and misstatements) to persist:

• Deficient Internal Controls: As a public company, SolarWinds is required to maintain effective internal controls for financial reporting and asset protection. The SEC alleges SolarWinds “failed to devise and maintain a system of controls sufficient to protect its critical assets” (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). For example, the company had documented processes (certification controls) to evaluate cybersecurity, but did not actually follow them. The complaint notes that while CISO Timothy Brown signed off on the effectiveness of technology controls as part of Sarbanes-Oxley (SOX) compliance, he later “was unable to identify the relevant controls” and admitted he based his certification on a general sense rather than concrete evidence (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). In essence, required internal control checks became a check-the-box exercise. Known weaknesses in areas like access controls were not factored into those certifications (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP), undermining their integrity.

• Lack of Disclosure Controls: Public companies also must have disclosure controls and procedures to ensure that information about significant risks (like major cyber vulnerabilities or incidents) gets collected and reported to those who prepare SEC filings. The SEC claims SolarWinds had no effective process to funnel cybersecurity risk information to its executive disclosure committee (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Despite the flurry of internal communications about security issues in 2018–2020, “no one, including the CISO, raised the issues with SolarWinds’ Disclosure Committee” (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). There were insufficient procedures to ensure Brown or others would elevate these red flags for consideration in investor disclosures (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). This gap meant material cyber risks stayed siloed in IT/security channels and never informed what SolarWinds told its investors – a critical governance failure.

• Culture of Concealment: The SEC harshly concludes that SolarWinds’ cybersecurity deficiencies “reflected a culture that did not take cybersecurity issues with sufficient seriousness, and a scheme to conceal these issues from investors and customers.” (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP) Internal documents show employees voicing concerns only to see them downplayed. Rather than prioritizing fixes or transparency, leadership was more focused on maintaining an image of security. The complaint even uses terms like “recklessness, negligence, and scienter (intent)” to describe the company’s mindset toward cybersecurity during this period (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). In other words, warnings were ignored and the company willfully chose not to inform investors of mounting risks. Such a culture directly enabled the false statements and omissions at issue.

• Stock Sales (Insider Benefit): Although not the centerpiece of the SEC’s case, the complaint notes that CISO Brown personally profited from SolarWinds’ inflated stock price by selling shares in 2020 (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown). He exercised options and sold stock for over $170,000 before the breach was revealed (SolarWinds Corporation and Timothy G. Brown). This creates a possible motive for the alleged fraud – i.e., to keep the stock high – and underscores the seriousness of misleading investors about material risks.

Enforcement Consequences: The SEC is seeking significant penalties: permanent injunctions, disgorgement of ill-gotten gains, civil fines, and even a bar prohibiting Brown from serving as an officer or director of any public company (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

These are severe outcomes that reflect the SEC’s view of the case as a major violation. It’s worth noting that in mid-2024, in preliminary court rulings, SolarWinds succeeded in getting some of the SEC’s claims (particularly those hinging on internal accounting control rules) dismissed as not legally applicable to cybersecurity (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn).

However, the core fraud allegations – such as the misleading “Security Statement” – have been allowed to proceed (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn).

Regardless of ultimate legal outcome, the fact that a CISO faces fraud charges is a watershed moment. It puts CISOs and executives on notice that regulators expect truthful disclosure of cyber risks and will hold individuals accountable for deception (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).

Lessons and Actionable Advice for CISOs and Security Leaders

The SolarWinds saga and SEC lawsuit carry abundant lessons for security professionals. For CISOs, in particular, it highlights how technical diligence and transparent risk communication are both essential to avoid devastating breaches and legal liability.

Here are key takeaways and actionable strategies:

• Align Words with Deeds: Ensure that all public statements about security match reality. Marketing materials, website security statements, privacy policies, and SEC filings must accurately reflect your security program (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). If you claim to follow a framework (e.g. NIST CSF or a secure SDLC), be sure those practices are truly in place – if not, don’t misrepresent it. Periodically review these statements for accuracy, and update them as your program evolves. Inconsistencies between what you say and what you do can constitute fraud (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).

• Address Known Weaknesses Proactively: It sounds basic, but fix your security issues! The SolarWinds case shows the peril of ignoring internal red flags. When audits or employees identify vulnerabilities (weak passwords, misconfigurations, excessive access, etc.), treat them as material risks and remediate promptly (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Don’t assume you can quietly “accept” the risk indefinitely. Unresolved security gaps not only increase breach likelihood but, if later exposed, can be evidence of negligence or recklessness. Create a robust process for tracking remediation of findings and hold owners accountable for timely fixes.

• Implement Strong Security Controls End-to-End: Key technical controls must be more than paper policies. Enforce a rigorous Secure Development Lifecycle for all product development (with code review, security testing, and vulnerability management) (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Establish enterprise-wide password management standards (unique, complex passwords stored securely, no defaults) and use technical enforcement tools to prevent the kind of password issues SolarWinds had (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Apply least privilege access: minimize admin accounts, audit privileges regularly, and secure remote access pathways (VPNs, RDP) with strong authentication and monitoring (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Had these basics been in place, SolarWinds might have thwarted or at least limited the Sunburst attack. For CISOs, strengthening these controls is not just about breach prevention – it’s about being able to honestly attest to your security posture.

• Enhance Detection and Incident Response: The faster you detect and respond to an intrusion, the less damage (and regulatory scrutiny) you may face. Invest in monitoring, logging, and threat detection capabilities so you aren’t blind to attacks on your systems. SolarWinds only learned of its compromise from a third party, which is a situation to avoid. Ensure your incident response plan includes criteria for when and how to escalate potential security incidents up the chain.

• Establish a Culture of Transparency: Cultivate an environment where cybersecurity issues are taken seriously and escalated appropriately. CISOs should regularly brief senior executives and the board on significant vulnerabilities, incidents, and risks (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). If there is a disclosure committee or risk committee, make sure cyber risks have a voice there. Document these discussions and decisions. The goal is twofold: executives can support and resource security improvements, and the company can decide what needs to be disclosed to investors. When people fear that flagging problems will hurt the company image, it creates the kind of “head-in-sand” culture that plagued SolarWinds (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). By contrast, a transparent culture will treat cybersecurity as a shared responsibility and a priority for corporate governance.

• Avoid Boilerplate and Omission in Disclosures: Craft investor disclosures (risk factors, incident notices, etc.) that are specific and candid about your situation. The SEC has made clear that purely hypothetical or generic cybersecurity risk statements are inadequate if specific known issues exist (SolarWinds Corporation and Timothy G. Brown) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). For CISOs, this means working with your legal and compliance teams to ensure risk disclosures are up-to-date and don’t sugarcoat ongoing problems. It’s better to disclose a known vulnerability and what’s being done about it, than to say nothing and later be accused of hiding it. Likewise, if a breach happens, resist the instinct to downplay or obfuscate; provide accurate details (to the extent known) rather than vague assurances that could mislead (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). Regulators (and plaintiffs) can and will call out half-truths.

• Document and Follow Procedures: Have clear, documented procedures for how cybersecurity information flows within your organization. For example, establish a formal process where the CISO must certify to the accuracy of cybersecurity disclosures or attest that all major incidents have been reported to top management. Then follow those processes. SolarWinds’ CISO signed sub-certifications that all material incidents were disclosed to senior execs when that wasn’t the case (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). This kind of lapse can be career-ending. Make sure that your internal controls for disclosure – such as checklists or sign-offs before SEC filings – include cybersecurity inputs and that you as CISO are involved and truthful.

• Prepare for Supply Chain Attacks: One of the big lessons of Sunburst is that adversaries target not just companies, but their suppliers and update mechanisms. Security leaders should harden their software build and distribution pipelines (e.g. protect code signing keys, monitor build servers, enforce MFA for developers) to prevent tampering (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn) (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn). Similarly, vet and monitor the security of third-party components and dependencies in your products. Supply chain security is now a board-level concern – demonstrate that you have controls in place to mitigate this complex risk.

• Mind the Legal and Regulatory Landscape: The SEC’s action against SolarWinds coincided with new SEC rules (effective 2024) mandating prompt disclosure of material cyber incidents and regular reporting on cyber risk management. Regulatory expectations are rising. CISOs should stay closely engaged with counsel to ensure compliance with these rules and to understand how emerging legal interpretations (like the partial dismissal of certain SEC claims in the SolarWinds case) might impact the company. Also, be aware that a major breach can spawn shareholder lawsuits (SolarWinds faced class-action and derivative suits as well (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP)), so rigorous cybersecurity oversight is part of your duty of care to the company and its stakeholders.

• Insurance and Risk Transfer: Finally, given the financial fallout that can accompany breaches (fines, legal costs, settlements), organizations should review their insurance coverage for cyber incidents and director/officer liability (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP). While insurance won’t prevent a breach, having appropriate coverage can be a backstop if despite best efforts a serious incident and litigation occur. CISOs can play a role in informing risk managers about the technical and legal risks to be insured against.

Conclusion

The SEC’s SolarWinds complaint is a wake-up call for the cybersecurity and risk management community. It underscores that cybersecurity is not just an IT issue but a material business issue that can lead to regulatory enforcement and personal liability if mismanaged.

For CISOs, the case drives home the importance of both sound security practices and honest communication.

On one hand, fundamental security measures (secure coding, strong passwords, vigilant patching, etc.) might have averted the Sunburst breach or at least mitigated it – reinforcing the mantra that basics matter.

On the other hand, the cover-up is often worse than the crime: misleading your investors, customers, or regulators about cybersecurity can be as damaging as the breach itself.

By learning from SolarWinds’ mistakes – fixing problems early, cultivating transparency, and aligning cybersecurity governance with regulatory expectations – security leaders can better protect their organizations and steer clear of the legal quagmire that follows a major cyber incident.

In today’s environment, CISOs must be both defenders of the network and guardians of the truth when it comes to cybersecurity. The SolarWinds saga shows what can happen when either of those duties lapses.

References (Sources)

• SEC v. SolarWinds Corp. and Timothy G. Brown, SEC Litigation Complaint No. 1:23-cv-9518 (S.D.N.Y. Oct. 30, 2023) – allegations of securities fraud, internal control failures; includes detailed description of SolarWinds’ security deficiencies (SolarWinds Corporation and Timothy G. Brown) (SolarWinds Corporation and Timothy G. Brown).

• U.S. Securities and Exchange Commission, Press Release 2023-227 (Oct. 30, 2023): “SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures” – summary of the SEC’s charges and allegations (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ) (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

• White & Case LLP, Client Alert (Nov. 2023): “The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies” – legal analysis of the SolarWinds enforcement action and practical lessons for companies (source of “Key takeaways” above) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).

• Gibson Dunn, Client Alert (July 25, 2024): “Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement” – update on the court’s initial ruling, noting many SEC claims were dismissed, except those related to SolarWinds’ Security Statement misrepresentations (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn) (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn).

• SEC v. SolarWinds – Complaint excerpts (2018–2020 internal communications and audits) – e.g., engineer’s 2018 “not very secure” VPN warning (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ); Brown’s “very vulnerable” assessment (SolarWinds Corporation and Timothy G. Brown); audit findings of default “password” and plaintext credentials (SolarWinds Corporation and Timothy G. Brown); internal email “We’re so far from being a security minded company” (SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures ).

• SolarWinds breach context – media/industry reporting on the 2020 Sunburst attack and its supply-chain mechanism (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn) (Dismissal of Much of SEC’s SolarWinds Complaint Has Potentially Broad Implications for SEC Cybersecurity Enforcement - Gibson Dunn).

• White & Case LLP, Key takeaways for CISOs and companies – guidance on improving cybersecurity practices and disclosures to meet SEC expectations (e.g., escalating issues, avoiding boilerplate risk disclosure) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP) (The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies | White & Case LLP).