YouTube player

The U.S Securities and Exchange Commission has announced charges against SolarWinds Corporation and its Chief Information Security Officer (CISO) for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

SolarWinds suffered a supply-chain attack in 2020 which resulted in many other organisation being breached, including U.S government agencies. The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement of the two-year long cyberattack, SolarWinds and the CISO defrauded investors by overstating SolarWinds’ cybersecurity practices and understated or failed to disclose known risks. It also alleges that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with the CISO, that the company’s remote access set-up had vulnerabilities which could allow attackers unrestricted access. There was also other communications cited that alleged that the CISO was aware of the company’s cybersecurity risks and vulnerabilities, but failed to resolve the issues or raise them sufficient further within the company.

This segment was created for the It’s 5:05 podcast