In a significant development, the Securities and Exchange Commission (SEC) has filed charges against SolarWinds Corporation, a software company based in Austin, Texas, and its chief information security officer, Timothy G. Brown. The charges relate to allegations of fraud and internal control failures, particularly in regards to the company's cybersecurity practices and known risks.

The complaint, filed in the Southern District of New York, asserts that SolarWinds and Brown engaged in fraudulent activities and neglected internal control measures concerning cybersecurity risks and vulnerabilities. The period in question spans from the company's initial public offering in October 2018 until the announcement in December 2020 that SolarWinds had fallen victim to a major cyberattack known as "SUNBURST." During this time, SolarWinds and Brown are alleged to have misled investors by misrepresenting the company's cybersecurity practices and downplaying or concealing known risks.

According to the SEC complaint, SolarWinds' public statements regarding its cybersecurity practices contradicted its internal assessments. An internal 2018 presentation from a company engineer, which was shared with Brown, highlighted the vulnerability of SolarWinds' remote access setup, stating that it was "not very secure" and that it allowed an attacker to go undetected until it was too late. The presentation warned of potential "major reputation and financial loss" for SolarWinds. Additionally, 2018 and 2019 presentations by Brown acknowledged the vulnerability of the company's critical assets and the inappropriate access and privileges to these systems and data.

Internal communications among SolarWinds employees, including Brown, in 2019 and 2020 also raised concerns about the company's ability to protect critical assets from cyberattacks. Brown expressed worry about potential attacks utilizing SolarWinds' software, stating that the company's "backends are not that resilient." An internal document from September 2020 indicated that the volume of security issues identified had surpassed the engineering teams' capacity to resolve them.

The SEC's complaint alleges that Brown was aware of these cybersecurity risks and vulnerabilities but failed to address them adequately or escalate them within the company. Consequently, SolarWinds was unable to provide reasonable assurances that its valuable assets, including the flagship Orion product, were adequately protected.

SolarWinds' incomplete disclosure about the SUNBURST attack in a December 2020 filing caused a significant decline in the company's stock price. Over the span of two days, the stock dropped approximately 25 percent, with an overall decrease of around 35 percent by the end of the month.

Gurbir S. Grewal, the Director of the SEC's Division of Enforcement, emphasized that SolarWinds and Brown ignored various warning signs about the company's cybersecurity risks, leading one subordinate to opine that they were "so far from being a security-minded company." Grewal stressed the importance of implementing robust controls aligned with risk environments and transparently informing investors about known concerns.

The SEC's complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown. The SEC's investigation was conducted by W. Bradley Ney, Lory Stone, and Benjamin Brutlag, with the assistance of Christopher Bruckmann and Kristen Warden from the Trial Unit. The litigation will be led by Bruckmann and Warden under the supervision of Melissa Armstrong.

This enforcement action serves as a reminder to companies to prioritize cybersecurity and ensure transparency regarding potential risks to protect investors and maintain trust in the market.