SolarWinds Responds to SEC Action
SolarWinds says that the recent lawsuit filed by the US Securities and Exchange Commission (SEC) “is fundamentally flawed—legally and factually—and we plan to defend vigorously against the charges.” The complaint alleges that SolarWinds and its former CISO defrauded customers and investors by obfuscating the company’s inadequate cybersecurity practices. Solar Winds maintains that “snippets of documents and conversations out of context to patch together a false narrative about our security posture.”
This is where your legal team will earn their retainer. And they need support from you to succeed. Without taking sides in the SolarWinds lawsuit, there are some lessons here we can leverage. Finalize and review assessment documents. Address deficiencies and document actions taken. Make sure that you're fully following your security standards, including documenting any risk acceptance or deviations. Have frank conversations with your internal auditors, remember they work for you, follow their guidance, or document why not and have management sign off either way.
And, so, the legal posturing begins. Ultimately, it is the CEO who bears responsibility for informing investors on the state (including cybersecurity) of the company. There is also a fine line in how material cybersecurity deficiencies are discussed with investors absent an actual attack. Too much information can provide a roadmap for the attacker. Too little, well, then you might get sued by the government.
This lawsuit is not so much about SolarWinds security posture as it is about misleading customers and investors. That said, their security posture notwithstanding, they did ship malicious code to their customers for which they have not been held accountable. This may well be the single most expensive security failure ever, with the cost borne not by the failing party but by its customers.