The Security and Exchange Commission (SEC) has filed charges against SolarWinds and its chief information security officer, Timothy G. Brown for misleading investors by not disclosing \u201cknown risks\u201d and not accurately representing the company\u2019s cybersecurity measures during and before the 2020 Sunburst cyberattack that affected thousands of customers in government agencies and companies globally.\n\n\u201cSolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company\u2019s violations,\u201d SEC said in a press release.\n\nIt is unusual for a company CISO to be named in SEC charges for non-disclosure. The SolarWinds case could act as a pivotal point for the role of a CISO, transforming it into one that requires a lot more scrutiny and responsibility.\n\n\u201cSolarWinds incident highlights the responsibility of CISOs of publicly listed companies in not only managing the cyberattacks but also proactively informing customers and investors about their cybersecurity readiness and controls,\u201d said Pareekh Jain, chief analyst at Pareekh Consulting. \u201cThis lawsuit highlights that there were red flags earlier that the CISO failed to disclose. This will make corporations and CISOs take notice and take proactive security disclosure more seriously similar to how CFOs take financial information disclosure seriously.\u201d\n\n\u201cThere are many unknowns here; we don't know if the CISO \u2018succumbed\u2019 to pressure from other leaders or if he was complicit in the hack,\u201d said Agnidipta Sarkar, vice president for CISO Advisory at ColorTokens Inc. \u201cIn either case, he is the target. But the reality is that the CISO is a very complex role. We are constantly required to navigate internal politics and pushbacks, and unless you are on your toes, you will be at the mercy of external forces at a scale no other CXO is exposed to.\u201d\n\nEarlier in June, the SEC sent notices to SolarWinds staff, including the chief financial officer (CFO) and the chief information security officer (CISO), indicating it may pursue legal action for violations of federal law in connection with their response to Sunburst.\n\nComplaint says SolarWinds downplayed security concerns\n\nSEC in its complaint has alleged that SolarWinds\u2019 public statements about its cybersecurity practices and risks were \u201cat odds with its internal assessments\u201d. An internal presentation developed by the company engineers in 2018, for instance, proved SolarWinds (and Brown) had knowledge of security risks within its core products.\n\nSolarWinds\u2019 remote access setup was found to be \u201cnot very secure\u201d and that someone exploiting the vulnerability \u201ccan basically do whatever without (us) detecting it until it\u2019s too late,\u201d which could lead to \u201cmajor reputation and financial loss\u201d for the company, the SEC complaint said while quoting SolarWinds\u2019 internal documents.\n\nAdditionally, Brown himself was found to have made internal presentations in 2018 and 2019, stating that the \u201ccurrent state of security leaves us in a very vulnerable state for our critical assets\u201d and that \u201caccess and privilege to critical systems\/data is inappropriate.\u201d\n\n\u201cBrown and other SolarWinds employees knew that SolarWinds had serious cybersecurity deficiencies,\u201d the complaint said. \u201cInternal emails, messages, and documents describe numerous known material cybersecurity risks, control issues, and vulnerabilities. These internal statements dramatically contradict SolarWinds\u2019 public disclosures relating to its cybersecurity practices, risks, controls, and vulnerabilities.\u201d\n\nIn June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was \u201cvery concerning\u201d that the attacker may have been looking to use SolarWinds\u2019 Orion software in larger attacks because \u201c(our) backends are not that resilient,\u201d according to the complaint.\n\n \u201cThe volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve,\u201d an internal document shared with Brown and others two months later stated.\n\nSolarWinds calls SEC charges misguided and improper\n\nOn the same day as the SEC filed the lawsuit, SolarWinds CEO, Sudhakar Ramakrishna posted the company\u2019s response through an orange matter blog.\n\n\u201cThe SEC has filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,\u201d Ramakrishna said in the blog.\n\nDenying all charges, Ramakrishna claimed that SolarWinds maintained appropriate cybersecurity controls prior to and after Sunburst. He also said that SolarWinds will vigorously oppose the SEC action. \n\nAccording to an\u00a0SEC press statement, the complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.