Solar Winds has accused the SEC of revictimization and called on the courts to dismiss the regulator’s fraud charges against the company and its CISO arising from the 2020 Sunburst supply chain attack.
The SEC last October accused SolarWinds and CISO Timothy G. Brown of “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”
It alleged that, from at least its 2018 IPO to December 2020, “SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”
While the firm disclosed “generic and hypothetical risks”, the SEC alleges, “the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
A memo supporting SolarWinds’ motion to dismiss insisted the company had responded as it should have, “promptly and transparently” disclosing the attack and keeping investors updated on the progress of its investigation.
The SEC “seeks to revictimize the victim” and the charges are “as unfounded as they are unprecedented”, the memo continued.
“The SEC is trying to unfairly move the goalposts for what companies must disclose about their cybersecurity programs and, with the controls charges” it said, “claim a mandate for regulating those programs that the agency does not have.”
SolarWinds said that the SEC was demanding that companies disclose “detailed vulnerability information” in filings. But, it argued, this was not the law, for the simple reason that this would provide roadmaps for attacks.
“The agency is seeking to twist the concept of accounting controls into a sweeping mandate for it to regulate public companies’ cybersecurity controls—a role for which the SEC lacks congressional authorization or substantive expertise.”
In the body of the motion, SolarWinds argues the SEC’s position on disclosing vulnerabilities was not just unsupported by the law but “impractical and dangerous.” Security is a continuous endeavour, and keeping investors up to date on every granular risk would be an “impossible task” that would deluge investors with unnecessary details.
And while the SEC alleges that employees discussed vulnerabilities, SolarWinds says, “at most” they reflected employees working to identify and correct any deficiencies. Which, it argues, is what cybersecurity is all about.
The memo also questions just what counts as following the NIST Framework, what constitutes a Secure Development Lifecycle, and what does and doesn’t constitute strong access controls.
While the events in question happened three years ago or more, they are acutely pertinent today. The SEC has been tightening rules on cybersecurity risk management for the companies it covers, while the Commodities Futures Trading Commission has just kicked off its own consultation on cyber risk disclosures and procedures.
These will all increase the compliance burden on senior tech leaders, even as they grapple with an ever more hostile cyber threat landscape.