The Securities and Exchange Commission on Monday charged software provider SolarWinds Corp. and its chief information-security officer with fraud and the failure to fully disclose cybersecurity weaknesses, following a historic cyberattack disclosed in 2020 that was purportedly backed by Russia. SolarWinds
in a statement, called the allegations “unfounded” and accused the SEC of “overreach.” Shares of the company were down 0.2% in after-hours trade on Monday.
The SEC on Monday alleged that from at least SolarWinds’ October 2018 IPO through its December 2020 announcement that it had been targeted in the breach, the company and its chief information security officer, Timothy Brown, “defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.” The SEC’s complaint alleged that despite warnings from employees, Brown “failed to resolve the issues or, at times, sufficiently raise them further within the company.” The agency is seeking civil penalties and an officer and director bar against Brown. SolarWinds
is based in Austin, Texas, and develops IT management software for businesses and governments. The attack, which exploited a software update, was one of the biggest ever, compromising scores of customers as well as government agencies and big companies like Microsoft Corp.
Gurbir Grewal, director of the SEC’s enforcement division, alleged in a statement that “for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company.’” A SolarWinds spokesperson accused the SEC of manufacturing claims against the company and Brown. “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an …