CISOs rally in defense of SolarWinds’ Brown versus SEC match

Industry peers of Timothy G. Brown, SolarWinds’ primary info gatekeeper, revealed issue in a court filing this month that the Securities and Exchange Commission is attempting to hold Brown accountable for public declarations from the business that supposedly deceived financiers about SolarWinds’ cybersecurity practices prior to its notorious 2020 cybersecurity breach.

From 2018 to 2020, before he was called CISO and before SolarWinds found the Sunburst attack, Brown composed several personal memos to business executives and others revealing issue about SolarWinds’ cybersecurity posture. He stated in October 2018, for instance, that the business’s “current state of security leaves us in a very vulnerable state for our critical assets.”

The SEC claims this programs Brown understood SolarWinds’ public declarations about its strong security posture were deceptive. Thirty existing and previous CISOs, consisting of the CISOs of City National Bank of Florida and Axis Capital, stated in their own short submitted Feb. 2 that the “alleged inadequacies” in SolarWinds’ public filings are “not typically” the duty of CISOs like Brown, and pinning liability for them on him is disadvantageous. The CISOs signed the short in their individual capabilities, not on behalf of their organizations.

“Liability under these theories empowers threat actors, chills internal communications about cyber-threats, exacerbates the already severe shortage of cybersecurity professionals, and deters collaboration between the private sector and the government,” the CISOs stated.

In the initial problem from October, the SEC declared Brown “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the company’s poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”

Far from declaring SolarWinds’ cybersecurity practices sufficed, Brown stated while examining a May 2020 attack on a U.S. federal government firm that it was “very concerning” that the aggressor might have been wanting to utilize SolarWinds’ Orion software application in bigger attacks since “our backends are not that resilient.” Indeed, assailants were currently making use of vulnerability because extremely software application to permeate several other U.S. firms.

But openly, SolarWinds promoted its security practices in a declaration on its site that, the SEC declared, consisted of several incorrect claims about the business’s security practices. These declarations consisted of that SolarWinds abided by a popular structure for assessing cybersecurity practices, utilized a safe and secure advancement lifecycle, had strong password security and kept great gain access to controls.

The SEC provided proof that each of these declarations were incorrect, and it likewise declared Brown was determined as the “owner” or “approver” of the general public declarations in several business files.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks,” stated Gurbir Grewal, director of the SEC’s department of enforcement, in October. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

Grewal stated the suits versus Brown and SolarWinds are developed to highlight a message to stock providers: “Implement strong controls calibrated to your risk environments and level with investors about known concerns.”

But for their part, the 30 CISOs who submitted this month’s short stated the SEC’s effort to “weaponize” Brown’s honest examinations “cannot be reconciled” with the persistence that Brown stopped working to adequately alert senior executives of SolarWinds’ vulnerabile state.

Among the other defenses the 30 CISOs who submitted this month’s short provided, one is that the SEC’s suit versus Brown threatens to chill internal conversations and honest self-assessments such as those that Brown provided internally.

“The SEC’s action would give CISOs an incentive to refrain from candid communication for fear that an internal email or presentation intended to improve cybersecurity measures will be taken out of context by the SEC to claim that a CISO deliberately misled investors,” the short read.

Attorneys for Brown and SolarWinds stated last month in a movement to dismiss the SEC’s case versus the business that the SEC’s targeting of Brown was “not only unwarranted but inexplicable” since Brown merely did his task, and “did it well.”

“Brown is not even alleged to have played a role in the company’s risk factor disclosures, and there is no conduct alleged remotely suggesting that he ever sought to deceive investors,” the movement to dismiss checks out. “The SEC also fails to articulate any coherent theory of aiding-and-abetting liability against Brown.”


A news media journalist always on the go, I've been published in major publications including VICE, The Atlantic, and TIME.

Related Articles

Back to top button