SEC accuses SolarWinds CISO of misleading investors before Russian cyberattack

Anton Ioffe - October 31st 2023 - 5 minutes read

In the rapidly evolving world of cybersecurity, the case of SolarWinds attracts exceptional attention and concern. In this article, we delve into the intricate turn of events that has led the Securities and Exchange Commission (SEC) to accuse the company's CISO, Timothy Brown, of letting down investors by inadequately addressing cybersecurity risks before a devastating Russian cyberattack. From unraveling the complex issues in SolarWinds' cybersecurity policies to scrutinizing the company and Brown's response to the charges, this article paints an unflinching portrait of the case. Furthermore, we explore what such a landmark incidence could mean for future corporate accountability in managing cybersecurity risks. Embark on this journey to grasp the gravity of this case and its potential aftermath on the corporate cybersecurity landscape.

Detailed Examination of the SEC's Charges Against SolarWinds and Its CISO

Breaking Down SEC's Accusations

According to the US Securities and Exchange Commission (SEC), both SolarWinds and its CISO, Timothy Brown, significantly downplayed or avoided disclosing crucial information regarding potential cyber risks. The SEC's primary argument revolves around several internal assessments, allegedly produced and shared amongst key stakeholders within SolarWinds between 2018 and 2020. These assessments, the SEC claims, painted a picture of the firm's cyber risk state starkly different from what was being publicly asserted.

The SEC furthers its accusations by stating that SolarWinds and Brown disseminated “misleading and false” declarations about the firm's cybersecurity posture. It alleges that SolarWinds failed to disclose specific cybersecurity deficiencies to investors, choosing instead to communicate vague and hypothetical risks. This tactic, the SEC claims, served to mislead investors about the actual cybersecurity practices in place and the escalating threats faced by the company.

The alleged misinformation came to light during a large-scale cyberattack on SolarWinds in late 2020. The attack, suspected to have originated from Russian hackers, involved malicious code being inserted into routine software updates for the company's Orion software. The Orion software then served as a vehicle launching a major cyberattack on both private and public sector entities. The SEC, in its charges, seemingly attributes this cyberattack to SolarWinds' ostensible failure in accurately disclosing its cyber risks and maintaining adequate security measures, underscoring a significant discrepancy between the company's public proclamations and internal realities.

Dissecting the Internal Conflicts in SolarWinds Cybersecurity Approach

In the upheaval that followed the cyberattack, SolarWinds' rigid and ineffective approach to cybersecurity became apparent. Assessments made in internal presentations in 2018 and 2019 warned of potential repercussions. Distressingly, an engineer raised concerns about the company's insecure remote access setup, suggesting that any exploitation of this vulnerability could lead to significant reputation and financial damage. Yet, inaction prevailed, with the firm choosing to downplay these cautionary voices instead of implementing robust protective measures.

Notably, further evidence was found in internal communications throughout 2019 and 2020, emphasizing the growing concern around cybersecurity threats within the company. In a striking example from June 2020, SolarWinds' CISO expressed his apprehension about potential software exploitation leading to large-scale cyber intrusions. By September, the situation had escalated, with an internal document revealing that the rising security issues were overburdening the engineering teams' capacity for resolution. Nonetheless, despite the looming danger communicated internally, there was an apparent lack of practical steps taken towards substantial improvement in security protocols.

The tangible repercussions of SolarWinds' hesitant cybersecurity approach were devastatingly showcased through a significant breach that went undetected for months. While the company admitted to its security flaws, it shockingly did not secure its build environment, a necessary step that the SEC alleges should have been a priority. This incident underscores the problematic disconnect between SolarWinds' internal acknowledgment of glaring vulnerabilities and its unresponsive attitude towards implementing effective measures that could have guarded against such threats. Evidently, SolarWinds' approach to cybersecurity was marked by a gross misalignment between the acknowledgment of potential risks and action, highlighting the urgent necessity for businesses to remedy any internal discrepancies in their cybersecurity practices.

SolarWinds and Timothy Brown's Reactions to the Charges

In response to the SEC's serious allegations, SolarWinds has adopted a stoic posture. While they did not outright deny the charges, the company asserted its intent to defend its stance vehemently. SolarWinds emphasized the complexity and sophistication of the cyber attack, reminding the public that even the U.S. government fell victim to the attackers. Each software company, they argued, grapples with evolving cyber threats, and no company, including SolarWinds, can vouch for total invincibility in this cyber age.

Timothy Brown, SolarWinds’ top security executive, who was personally charged in the case, also broke his silence on the matter. Brown's legal counsel issued a statement underlining Brown's integrity and commitment while serving as the company's Chief Information Security Officer (CISO). They refuted the SEC’s allegations arguing that Brown executed his duties diligently, ensuring continuous enhancement of the company's cybersecurity posture during his tenure at SolarWinds. Brown and his team denied any inaccuracies attributed by the SEC, maintaining that they are fully prepared to contest the accuracy of the SEC's complaints.

The impending legal proceedings will further elucidate the validity of these charges and the subsequent counterclaims by SolarWinds and Brown. As the drama unfolds, one thing is certain: regardless of the outcome, this case will have profound implications on the liability and expectations placed on public companies, and specifically their security leaders, in regard to cybersecurity disclosure.

Future Implications for Corporate Cybersecurity Management

Heading into an era of increased accountability, this legal battle over cybersecurity mismanagement sets a precedent that could greatly influence the future practices of corporate industries. If the SEC is successful in holding CISOs responsible for cybersecurity incidents, it could mean a seismic shift for executives. The realm of responsibility may greatly expand, instigating a drive towards proactive measures instead of reactive damage control. In this light, one might question if this will set forth a new norm of placing blame, rather than fostering an environment of learning from mistakes?

The new cybersecurity rules to be enforced by SEC requires public companies to promptly disclose cyber incidents. Many professionals have feared how this might be leveraged against them. If executives are held responsible for these disclosures, they may be incentivized to underreport or misrepresent issues. This raises concerns about transparency and accuracy of shared information, which is crucial to mounting collaborative, industry-wide responses to cyber threats. How will the fear of blame impact the much-needed open sharing of cybersecurity incidents across businesses?

Finally, the primary question is around the larger implications on the overall corporate cybersecurity landscape. Fears of disenfranchising earnest cybersecurity professionals is not unfounded. There is a risk of driving away qualified individuals due to fear of liability, thereby leaving businesses more vulnerable to cyberattacks. Furthermore, creating an environment of fear and blame could potentially inhibit the growth of public-private partnerships, thereby stalling the advancements in cybersecurity. Does this mean we are inadvertently installing a protective barrier preventing us from essential growth and collaboration in the face of ever-evolving cyber threats?


The Securities and Exchange Commission (SEC) has accused SolarWinds' Chief Information Security Officer (CISO), Timothy Brown, of misleading investors about cybersecurity risks prior to a devastating Russian cyberattack. The SEC alleges that SolarWinds and Brown downplayed or avoided disclosing crucial information and disseminated misleading statements about the company's cybersecurity posture. The article examines the SEC's charges, discusses the internal conflicts in SolarWinds' cybersecurity approach, and explores the reactions of SolarWinds and Timothy Brown. It also examines the future implications for corporate cybersecurity management, including potential changes in liability and accountability for cybersecurity incidents. Key takeaways include the potential impact on the practices of corporate industries, concerns about transparency and accuracy of cybersecurity incident reporting, and the potential for disincentivizing cybersecurity professionals and hindering collaboration and growth in the cybersecurity field.

Don't Get Left Behind:
The Top 5 Career-Ending Mistakes Software Developers Make
FREE Cheat Sheet for Software Developers