The SolarWinds breach was one of the most significant cyberattacks in recent history, affecting thousands of organizations and compromising sensitive data and systems. The 2020 breach against SolarWinds, a provider of IT management software, exposed the vulnerabilities of relying on third-party vendors for critical IT services and highlighted the need for effective vendor risk management.
Recently, the U.S. Securities and Exchange Commission (SEC) announced that it had charged SolarWinds and its Chief Information Security Officer (CISO) with fraud for making false and misleading statements about the breach to investors and customers. Per the Wall Street Journal, this is the first time that the SEC has filed a civil lawsuit against a public company over a security breach. This lawsuit comes shortly after the SEC adopted new rules on how public companies must disclose information related to cyber incidents and their broader cybersecurity practices.
This blog delves into the details of the breach, its implications, and the ensuing SEC charges, shedding light on the importance of effective vendor risk management.
What is the SolarWinds Hack?
The SolarWinds breach stands out for its sophistication and far-reaching impact. The attackers managed to infiltrate SolarWinds’ Orion software, a platform widely utilized for network and infrastructure monitoring. More than 30,000 public and private sector organizations used the Orion software to manage IT resources.
The attackers, who are believed to be linked to the Russian government, were able to access the systems of up to 18,000 SolarWinds customers. The attackers inserted malicious code into Orion software updates, allowing them to spy on the victims’ networks, steal data, and move laterally across different systems. Some of the high-profile targets of the attack included Microsoft, Cisco, Intel, and several US government agencies, such as the Department of Homeland Security, the Treasury Department, the Department of Justice, and the Department of Energy. The breach went undetected for months until FireEye, a cybersecurity firm that was also compromised, reported that they were hacked and identified that the Orion software had been compromised as well.
Understanding the SEC Charges Against SolarWinds
In October 2023, the SEC filed a civil lawsuit charging SolarWinds and its CISO with fraud and internal controls failure, alleging that the firm defrauded investors by misleading them about their cyber vulnerabilities. SolarWinds’ CISO being implicated in the lawsuit signals the SEC’s increased focus on cybersecurity governance and the responsibilities of corporate officers.
The SEC alleges that SolarWinds internally acknowledged deficiencies in their cybersecurity practices but made public statements to the contrary. In public statements, they disclosed “generic and hypothetical” cybersecurity risks and did not disclose any elevated risks related to the company.
A critical point in the case is that the CISO and other executives repeatedly ignored internal warnings about potential security risks. For example, there was a presentation in 2018 that highlighted significant security concerns, which were subsequently overlooked or not acted upon with the necessary urgency. By ignoring these warnings, the SEC alleges that their CISO left the company systems exposed.
Lessons Learned and the Path Forward
The SolarWinds breach and the subsequent SEC charges against the company and its CISO represent a pivotal moment in the landscape of cybersecurity and corporate governance. This breach serves as a reminder of the critical importance of robust vendor risk management and the need for transparency in cybersecurity practices. It underscores the far-reaching consequences of cyberattacks, not just in terms of data security but also in legal and financial repercussions for companies and their executives.
The SEC’s actions signal a shift towards more stringent regulatory scrutiny over how companies manage and disclose cybersecurity risks. This landmark case highlights the growing expectation for companies to proactively address potential security vulnerabilities and be forthright in their communications with investors and stakeholders about cyber risks.
As organizations navigate this increasingly complex cyber landscape, the SolarWinds incident offers valuable lessons. It emphasizes the necessity for continuous vigilance, rigorous internal review processes, and a culture of transparency and accountability. For executives and cybersecurity professionals, this case underlines the importance of heeding internal warnings and consistently updating and improving cybersecurity measures to protect against evolving threats.
Fill out the form below to learn more about how we can help you effectively and efficiently manage vendor risk!