The Securities and Exchange Commission (SEC) has charged SolarWinds (NYSE:SWI) and its chief information security officer with fraud and failures in regard to “allegedly known cybersecurity risks and vulnerabilities.” The hack has been attributed to Russian criminals. The SEC believes that investors were harmed by the lack of disclosure from the IT firm.
SolarWinds is a provider of IT management software designed to “accelerate” digital transformation.
The SEC alleges that a two-year-long cyber attack was downplayed as the company failed to disclose risks beginning around the time of the company’s IPO and up to at least 2020.
The SEC claims that public statements about its cybersecurity protocols and risks did not align with internal assessments, including an internal presentation that described the company’s remote access set-up as “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss.”
The complaint goes further, claiming that SolarWinds knew the problems but failed to resolve the issues.
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said the red flags were ignored and the risks well known but rather than address the problem, SolarWinds initiated a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.
SolarWinds has yet to issue a statement responding to the allegations, but the company is scheduled to release Q3 results this Thursday so the issue will be top of mind.
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.