United States: SEC sues SolarWinds

The Securities and Exchange Commission (SEC), the US stock exchange regulatory authority, filed a lawsuit at the end of October 2023, against the SolarWinds software publisher and its CISO, Timothy Brown. The Commission is accusing the company of deceiving investors by minimizing the cyber risk it was exposed to. For years, SolarWinds allegedly “ignored repeated warning signals” that “were well-known within the company.”

At the end of 2020, the software publisher was the target of a spectacular cyberattack attributed by the White House to APT29, a cybercriminal group with ties to the SVR, Russia’s Foreign Intelligence Service. SolarWinds provided services for thousands of organizations, and the attack affected 16,000 computer systems and 1,800 entities, including sensitive agencies.

According to the SEC, SolarWinds’ CISO, in 2018 and 2019, lamented insufficient cyberprotection of the company’s critical assets, which made it “highly vulnerable”. In 2018, an engineer voiced criticisms internally, citing breakdowns in remote connection security, which would allow an attacker to “pretty much do what he wants without detection.” In September 2020, an internal memo explained that the volume of security issues exceeded the teams’ capabilities.

The head of SolarWinds, Sudhakar Ramakrishna, deems the suit “ill-advised and inappropriate.” According to him, his firm worked hard in 2020 to improve cybersecurity, thus mitigating the cyberattack’s effects.