On October 30, 2023, the Securities and Exchange Commission (SEC) filed a civil complaint against SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for violating federal securities laws by making false and misleading statements about its cybersecurity practices and known risks.
The complaint alleges that SolarWinds failed to disclose material information about its security vulnerabilities, its remediation efforts, and the impact of the breach on its business. The complaint also cites internal communications that showed that SolarWinds’ employees were aware of the company’s poor security posture. For example, one employee wrote in an email: "We’re so far from being a security minded company."
The primary issues stem from the massive cyberattack that compromised SolarWinds’ Orion software, which is used for network management and monitoring, in 2019. The hackers inserted malicious code into Orion’s software updates, which allowed them to access the systems of Orion’s customers, including several government agencies and private organizations. The breach, referred to as Sunburst, was one of the worst cyber espionage incidents in US history and exposed sensitive data and national security secrets.
The SEC’s lawsuit marks an evolution in holding software companies and their leadership accountable for fraud and internal control failures relating to cybersecurity risks and vulnerabilities. It signals the next step in the US’s approach to improving cybersecurity. And should provide a warning to other software companies that they need to take cybersecurity seriously or face legal consequences.
Among a number of accusations, the complaint highlights the importance of duty of care and standard of care software companies have hidden from via complex End User License Agreements and other mechanisms for too long. By allegedly failing to disclose and address its cybersecurity risks and vulnerabilities, SolarWinds may have breached its duty of care and standard of care to its customers and investors. This may expose SolarWinds to civil liability for damages caused by the breach, as well as regulatory sanctions and penalties by the SEC and other authorities.
Sonatype’s Chief Technology Officer Brian Fox commented, “The SEC’s lawsuit against SolarWinds shows that the administration is cracking down on security lapses. The software industry can’t ignore cyber risk anymore. Food and auto manufacturing learned the hard way that liability and due care standards can change. Our industry will face the same. Those who learn from history will thrive.”
The lawsuit against SolarWinds is the most significant action taken against a public company since the case against Uber in 2016. While the SEC was not involved, the US government, specifically the Department of Justice (DOJ), charged Uber’s former chief security officer, Joseph Sullivan, with obstruction of justice and concealing his role in covering up the 2016 data breach that affected 57 million users and drivers.
In Sullivan’s case, instead of reporting the breach to the authorities and the affected parties, as required by law, Uber paid $100,000 to the hackers to delete the data and keep quiet. The case was the first of its kind to prosecute a corporate executive over a breach by outsiders. It also highlighted the importance of cybersecurity for software companies and their legal and ethical obligations to their customers and society.
Sullivan was convicted by a federal jury on October 5, 2022, and faced up to eight years in prison. While Sullivan only served 6 months of that potential sentence, the judge acknowledged he wanted to send a message to other corporate executives that they should not conceal data breaches. Therefore, the judge decided to sentence Sullivan to three years of probation and a $50,000 fine, instead of prison time.
The SEC’s lawsuit and the Uber hacking case show the US’s increasingly strict posture. Both also highlight growing alignment with the Executive Order on Improving the Nation's Cybersecurity and the National Cybersecurity Strategy issued by President Biden in 2021 and 2023 that include:
Software companies can avoid many of the issues that SolarWinds and Uber face by using Sonatype products. Sonatype is a leader in software supply chain management and security, offering solutions that help software companies manage, secure, and optimize their open source components and dependencies. By following these measures, software companies can not only avoid legal liability and reputational damage but also enhance their competitive advantage and customer loyalty. Cybersecurity is not a cost or a burden but a necessity and growing requirement of evolving legislation aimed to hold software organizations responsible for their actions in the US and around the world.
Some of the Sonatype products that can help software companies improve their cybersecurity are:
Sonatype products are trusted by over 2000 organizations and 15 million developers worldwide. If you are interested in learning more about Sonatype products and pricing, check out our website or request a demo.