SEC charges SolarWinds with fraud in connection to SUNBURST cyberattack
The SEC alleges that SolarWinds and Brown defrauded investors by misrepresenting the company’s cybersecurity practices and understating known cybersecurity risks.
The US Securities and Exchange Commission (SEC) has charged SolarWinds Corporation, a software company based in Austin, Texas, and its Chief Information Security Officer, Timothy G. Brown, with fraud and internal control failures related to cybersecurity risks and the SUNBURST cyberattack.
The SEC alleges that SolarWinds and Brown defrauded investors by misrepresenting the company’s cybersecurity practices and understating known cybersecurity risks from its 2018 IPO to the disclosure of the cyberattack in December 2020. Internal assessments and communications revealed discrepancies between public statements and actual cybersecurity vulnerabilities. Brown, aware of the risks, allegedly failed to address them adequately. SolarWinds’ incomplete disclosure of the SUNBURST attack led to a 25% stock price drop over two days and a 35% drop by the end of December 2020.
The SEC seeks permanent injunctive relief, disgorgement, civil penalties, and an officer and director bar against Brown. The enforcement action emphasises the importance of accurate disclosures and reinforces the SEC’s message to companies to implement strong controls and transparently communicate known concerns to investors.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.