header banner

For hiding cyberthreats prior to a significant hack, SolarWinds is being sued by the US SEC

Table of Contents

The seal of the U.S. Securities and Exchange Commission (SEC) is seen at their headquarters in Washington, D.C.

The seal of the U.S. Securities and Exchange Commission (SEC) is seen at their headquarters in Washington, D.C., U.S., May 12, 2021. Picture taken May 12, 2021. REUTERS/Andrew Kelly/File Photo Acquire Licensing Rights

  • Companies
  • Law Firms

NEW YORK, Oct 30 (Reuters) - The U.S. Securities and Exchange Commission on Monday sued software company SolarWinds Corp (SWI.N) and its top information security executive, saying they defrauded investors by hiding cybersecurity weaknesses during a massive hack targeting the U.S. government.

The SEC lawsuit in Manhattan federal court accused SolarWinds and Timothy Brown, its chief information security officer (CISO), with repeatedly violating U.S. securities laws by concealing vulnerabilities and cyber events in regulatory filings and other company statements.

Monday's lawsuit appears to be the first time the SEC has sued a company that has been victim of a cyberattack, rather than charging and simultaneously settling.

SolarWinds, based in Austin, Texas, slammed the regulator's "overreach" and pledged to fight the charges in court.

It said the charges were "unfounded," put national security at risk, and "should alarm all public companies and committed cybersecurity professionals across the country."

Chief Executive Sudhakar Ramakrishna said in a blog post: "The SEC's charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security."

Alec Koch, a lawyer for Brown, said his client performed his job with "diligence, integrity and distinction," and looked forward to defending his reputation and correcting the inaccuracies in the SEC complaint.

Shares of SolarWinds fell more than 3% after market hours, following the filing of the lawsuit.


The nearly two-year hacking known as Sunburst, the outlines of which were first reported by Reuters, was one of the most sweeping cyber intrusions ever discovered.

Hackers were able to use SolarWinds' flagship network management software, Orion, as a springboard into U.S. government networks and international targets.

Several federal agencies were compromised, including the Departments of State, Treasury, Homeland Security, Commerce and Energy. The full consequences of the breach, some hidden behind layers of classification, remain unknown.

Regulators found SolarWinds misled the public about repeated cybersecurity risks it faced between as its 2018 initial public offering and its December 2020 disclosure about the attack.

Authorities said Brown internally discussed known risks and vulnerabilities but painted a starkly different portrayal to the public, even as customers including a federal agency alerted SolarWinds to malicious activity on its flagship software.

According to the SEC, the problems prompted one SolarWinds employee to say in October 2020: "We're so far from being a security minded company. Every time I hear about our head geeks talking about security I want to throw up."

Alexander Urbelis, a cybersecurity lawyer at Crowell & Moring LLP, said authorities have become more attentive to holding executives liable for cybersecurity failures.

He cited the October 2022 obstruction conviction of a former Uber Technologies (UBER.N) security chief for covering up a data breach.

"That was a massive wakeup call for CISOs across the board," Urbelis said.

Reporting by Jonathan Stempel and Chris Prentice in New York, and Raphael Satter in Washington; Editing by Marguerita Choy and Tom Hogue

Our Standards: The Thomson Reuters Trust Principles.

Chris Prentice reports on financial crimes, with a focus on securities enforcement matters. She previously covered commodities markets and trade policy. She has received awards for her work from the Society for Advancing Business Editing and Writing and the Newswomen’s Club of New York.

Reporter covering cybersecurity, surveillance, and disinformation for Reuters. Work has included investigations into state-sponsored espionage, deepfake-driven propaganda, and mercenary hacking.


Article information

Author: Jesse Bailey

Last Updated: 1700334482

Views: 1045

Rating: 4.2 / 5 (48 voted)

Reviews: 99% of readers found this page helpful

Author information

Name: Jesse Bailey

Birthday: 1912-01-12

Address: 34756 Cynthia Rapids Apt. 109, Port Valerieside, KY 50925

Phone: +3650334862197344

Job: Plumber

Hobby: Swimming, Snowboarding, Video Editing, Card Collecting, Robotics, Sculpting, Puzzle Solving

Introduction: My name is Jesse Bailey, I am a unswerving, exquisite, striking, rare, talented, multicolored, rich person who loves writing and wants to share my knowledge and understanding with you.