The Securities and Exchange Commission (SEC) has charged Timothy Brown, who serves as the Chief Information Security Officer (CISO) at SolarWinds, with fraud. This action comes several months after the SEC initially indicated its intention to bring charges against him.
These charges stem from allegations that he provided false information to investors, specifically in relation to “overstating SolarWinds cybersecurity practices” while failing to disclose known risks. The legal proceedings are currently underway, based on a complaint filed in the Southern District of New York.
According to media reports, the SolarWinds cyberattack lasted for more than two years between October 2018 and December 2020. This cyberattack is said to be connected with the Russian Foreign Intelligence Service.
The complaint against Timothy is based on a violation of two laws of the land. He is said to have violated the Securities Exchange Act of 1934 and some provisions of the Securities Act of 1934 pertaining to antifraud provisions.
As reported by The Record Media, the SEC has expressed its intention to pursue a legal course against Brown, aiming for permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar.
Details of the SolarWinds Cyberattack
The SolarWinds Cyberattack started when the hackers started malware intrusions into the company’s IT monitoring system called Orion. Then they deployed multiple more malware that compromised the company’s cloud-based and internal systems and kept stealing sensitive information for several months. The stolen information is linked to several US government agencies like the Departments of Energy, Defense, Homeland Security, Treasury, Commerce, Justice, Energy, and more.
The SEC has further asserted that SolarWinds, at a time when the company and Brown were aware of specific deficiencies in their cybersecurity practices and the mounting risks they were encountering, “misled investors by disclosing only generic and hypothetical risks.
According to the SEC, the internal reports shared with Timothy earlier provided a clear indication that SolarWinds’ remote access setup was vulnerable. The reports suggested that cybercriminals could essentially operate without detection until it was too late, ultimately resulting in “major reputation and financial loss” for SolarWinds. However, these red flags went unheeded.
The SEC’s SolarWinds Cyberattack complaint also has evidence that Timothy had once accepted that their “backends are not that resilient” in a cyberattack incident on its client while accepting that the attackers might have done so by using the backend of SolarWinds’ Orion software. He was also informed by an employee in September 2020 that the “volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve.”
Gurbir Grewal, SEC Division of Enforcement’s director said, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company.”
He also said, “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The entire scenario reveals that Timothy Brown possessed a clear understanding of the cybersecurity issues at SolarWinds; however, he took no action to address these concerns or escalate the matter to higher company management. The SEC further contends that the disclosure of cyberattacks on SolarWinds in 2020 was incomplete and suggests that certain pertinent details intentionally remained undisclosed.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.