SEC Charges SolarWinds CISO with Fraud over Cybersecurity Failures

The US Securities and Exchange Commission (SEC) has charged SolarWinds and its CISO with fraud and internal control failures due to failure to disclose significant cybersecurity risks and vulnerabilities over at least a two-year period. 

In 2018, SolarWinds was the target of the famous attack known as “SUNBURST”, a two-year-long hacker operation that managed to install backdoored malware on the assets of 18,000 SolarWinds customers, many of them high profile organizations, such as US agencies like the Pentagon, the Department of Homeland Security, the State Department, as well as multi-national companies like Cisco, Intel, and Microsoft.  

According to an SEC statement issued October 30, SolarWinds made an incomplete disclosure of the attack at the time, and in the years since has failed to fully disclose the cybersecurity gaps and issues in the company. Moreover, they have routinely overstated their cybersecurity best practices and misled investors.  

SEC’s complaint seeks “permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown”, SolarWinds’ CISO. 

SEC’s actions show that cybersecurity should be taken seriously and should include adequate prevention as well as remediation strategies, otherwise companies may face serious legal consequences.  

It is important to identify ongoing risks and apply effective measures to increase security posture, but also to take an objective and realistic view. The SEC statement reveals that an internal document from SolarWinds’ mentions that “the volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve.”  

This is not an uncommon predicament. Companies frequently find themselves overwhelmed when it comes to security issues and often fail to allocate enough funds and personnel to rectify them. Furthermore, ‘alert fatigue’ is a rapidly growing problem, where security tools generate so many alerts that assessing and fixing them becomes an impossible task.  

This is one of the key issues Cyscale set out to solve. Through the application of context to each security alert, Cyscale’s mission is to help companies overcome the challenges of slim resources and budgets by prioritizing security issues and guiding professionals to work on the 20% of things that matter and make 80% of the difference.

Interesting? Share it

Stay Connected

Receive our latest blog posts and product updates.

Our Compliance toolbox

Check out our compliance platform for cloud-native and cloud-first organizations:

CSPM ToolMulti-Cloud Data SecurityGoogle Cloud SecurityAWS Security & ComplianceIAM Cloud SecurityPrevent Cloud Misconfiguration


What we’re up to

Kubernetes Security: Best Practices for SMEs
CIEM and IAM: The 2 Critical Components of Cloud Security
NIST CSF 2.0: A Detailed Roadmap for Modern Cybersecurity
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2024 Cyscale Limited

crunch base icon
angel icon