Last night, the US Securities and Exchange Commission (SEC) made an official statement, in which was accused by Timothy Brown, the head of the SolarWinds information security service, in deception of investors and misleading them regarding the company’s cybersecurity practices.
The complaint filed in the Southern District of New York states that Brown violated the provisions on the fight against fraud of the 1933 securities law and the law on the exchange of securities of 1934.
SEC requires the imposition of a permanent court prohibition on Brown, the return of illegally received funds with interest, civil sanctions, as well as a ban on Brown’s occupation in other companies.
For several months, the SEC hinted to acconderate the leaders of SolarWinds for their role in Kiberatak, which lasted almost two years. Attackers then introduced malicious software in the Orion branded application, necessary for monitoring IT systems, which allowed foreign hackers to penetrate dozens of American departments and freely unload confidential data from them.
According to SEC, from the moment of SolarWinds on IPO in October 2018 and before the announcement of a hacker attack in December 2020, the company provided investors with only general risk information, while the company management, including Brown, was aware of specific disadvantages in the practices of cybersecurity and increased risks.
Instead of eliminating these vulnerabilities, SolarWinds and Brown, according to the SEC, began a campaign to create a false idea of the cyber control environment at SolarWinds, depriving investors of accurate information. SEC actions not only charge SolarWinds and Brown of the introduction of investors in misconception and dismissive attitude to the protection of the most important assets of the company, but also emphasize the message to issuers: it is necessary to introduce strong control measures corresponding to the risks of the environment and be open to investors relatively well -known problems.
The representative of SolarWinds, in turn, expressed disappointment in connection with the “baseless accusations” by the SEC. Brown’s lawyer said on his behalf that he “with conscientiousness and a high degree of responsibility was constantly working to improve the cybersecurity of the company.”
SEC indicates internal reports that indicate that Brown was aware of the problems with cybersecurity in the company, but did not take steps to eliminate them or did not report them at a higher level. The commission also notes that the disclosure of information about cyberataka in December 2020 was