SEC Settles with SolarWinds Over 2018-2020 Cybersecurity Failures
In a significant development, the U.S. Securities and Exchange Commission (SEC) has reached a settlement in principle with SolarWinds Corp. and its former chief information security officer, Timothy G. Brown. The settlement follows charges laid in October 2023 alleging violations of securities laws due to concealed vulnerabilities and cyber events between 2018 and 2020.
The SEC's lawsuit, filed in the Southern District of New York, accused SolarWinds of investor fraud and knowingly exposing its systems to cybersecurity risks. Microsoft, which was among the companies affected by the SolarWinds cyberattack, described it as the 'largest and most sophisticated' ever seen. The attack, linked to Russia, compromised the data of thousands of companies and government offices.
The settlement, which is yet to be finalized, involves SolarWinds agreeing to pay a penalty without admitting or denying the SEC's findings. The SEC alleged inadequate internal controls and disclosure failures tied to the cybersecurity breach. District Court Judge Paul A. Engelmayer granted a stay in the case to facilitate the settlement discussions.
The settlement details are expected to be submitted to the court by September 12, or the parties will provide a status update. This resolution marks a significant step in addressing the fallout from the SolarWinds cyberattack and sends a clear message about the importance of robust cybersecurity measures and transparency in corporate governance.
