What Has Actually Happened?

The U.S. Securities and Exchange Commission (SEC) has recently announced charges against the Austin, Texas-based software company, SolarWinds Corporation, and its Chief Information Security Officer (CISO), Timothy G. Brown. The charges pertain to fraud and internal control failures related to allegedly known cybersecurity risks and vulnerabilities.

From at least its October 2018 initial public offering (IPO) through at least its December 2020 announcement of a massive, nearly two-year-long cyberattack termed “SUNBURST,” SolarWinds and Brown are alleged to have defrauded investors.

The SEC claims that during this period, SolarWinds disclosed only “generic and hypothetical risks” to investors, even when the company and Brown were aware of specific deficiencies in their cybersecurity practices and the elevated risks they faced.

The SEC’s complaint highlights a stark contrast between SolarWinds’ public statements about its cybersecurity practices and its internal assessments. For instance, a 2018 presentation by a company engineer, which was shared internally, including with Brown, indicated that SolarWinds’ remote access set-up was “not very secure.” The presentation warned that exploiting the vulnerability could lead to “major reputation and financial loss” for SolarWinds. Furthermore, presentations by Brown in 2018 and 2019 reportedly stated that the company’s security left its critical assets in a “very vulnerable state.”

The SEC also alleges that throughout 2019 and 2020, multiple communications among SolarWinds employees, including Brown, raised concerns about the company’s ability to protect its critical assets from cyberattacks. For instance, in June 2020, Brown expressed concerns about an attacker potentially using SolarWinds’ Orion software for larger attacks, noting that the company’s “backends are not that resilient.”

The culmination of these lapses was the SUNBURST attack, which SolarWinds disclosed in a December 14, 2020, Form 8-K filing. Following this disclosure, the company’s stock price plummeted by approximately 25% over the next two days and around 35% by the end of the month.

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, commented on the situation, stating, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company.” He continued to say that…

“SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The SEC’s complaint, filed in the Southern District of New York, alleges multiple violations by SolarWinds and Brown, including the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934. The SEC seeks various reliefs, including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

What Implications Are There For CISO’s & Investors?

So what does this mean for everyone else?
The SolarWinds incident highlights the critical need for organizations, especially those in private equity, charities, insurance, and other sectors, to have an independently assessed visibility of their cybersecurity practices. Relying solely on internal assessments or assurances from software providers is no longer sufficient. Northcap’s assessments of what’s currently in place have just become much more valuable and important for every PE House and all their OPCo’s.

Independent cybersecurity assessments and portfolio-wide structured cybersecurity risk management programs, like those provided by NorthCap, offer a comprehensive and unbiased evaluation of an organization’s cybersecurity posture over time. They provide a clear picture of potential vulnerabilities, ensuring that CISOs and their investors have the necessary information to make informed decisions.

Below is a high-level set of Top Tips to help investors and CISOs have a basic idea of how best to respond to the SEC announcement in such a fashion to minimize potential risks and settle the minds of internal and external stakeholders.

Top 5 Tops for Investors:

1. Due Diligence: Before investing, ensure that the company has a robust cybersecurity framework in place. Understand their past incidents, how they were handled, and the lessons learned.
2. Seek Independent Assessments: Don’t rely solely on the company’s internal assessments. Engage with third-party cybersecurity experts to get a clear, unbiased picture of the company’s cyber posture.
3. Avoid Complacency Based on Size: A company’s size or market reputation doesn’t guarantee its cybersecurity resilience. Regardless of a company’s stature, adopt a structured approach to assessing its cybersecurity capabilities and ensure proactive measures are taken to address any discovered deficiencies.
4. Collaborate: Establish a close working relationship with the company’s CISO and cybersecurity team. Understand their challenges, provide necessary resources, and ensure that cybersecurity strategies align with business goals.
5. Prioritize Cybersecurity: In all investment decisions, ensure that cybersecurity is not an afterthought but a top priority. Recognize that a robust cybersecurity posture is not just about risk mitigation but also about safeguarding brand reputation and trust.

Top 5 Tips for CISOs:

1. Continuous Education: The cybersecurity landscape is ever-evolving. Stay updated with the latest threats, vulnerabilities, and mitigation techniques. Attend workshops, webinars, and conferences to ensure you’re always a step ahead of cyber adversaries.
2. Strengthen Internal Communication: Foster a culture where cybersecurity is everyone’s responsibility. Regularly communicate with all departments, ensuring they understand the importance of security protocols and are aware of the latest threats.
3. Implement Multi-Layered Defense: Don’t rely on a single security solution. Implement a multi-layered defense strategy that includes firewalls, intrusion detection systems, encryption, and regular audits.
4. Incident Response Plan: Having a plan in place is crucial. Ensure that there’s a clear protocol for identifying, reporting, and mitigating breaches. Regularly test and update this plan to adapt to new challenges.
5. Seek External Validation: Internal assessments are essential, but an external perspective can offer invaluable insights. Regularly engage with third-party experts for independent evaluations and recommendations.

By implementing the above and seeking to leverage the value that outsourced assurance partners can provide – especially to investors who often lack the expertise to understand the cyber risks they are being presented with – you can sleep a little easier knowing you have made it that bit less likely that your name will be next on the headlines.

Conclusion:
The SEC's lawsuit against SolarWinds is a stark reminder of the importance of cybersecurity in today's digital age. For CISOs, investors, and organizations at large, it's crucial to prioritize cybersecurity and ensure that they have the right measures in place to protect their assets. By collaborating with trusted partners like NorthCap, organizations can navigate the complex cybersecurity landscape with confidence.

For more insights and support on cybersecurity best practices, reach out to NorthCap.