It looks pretty bad for SolarWinds and its chief information security officer (CISO) after the U.S. Securities and Exchange Commission (SEC) filed fraud charges against them.
The overarching message of this case is cyber risks are real risks.
The charges revolve around the Austin, Texas-based company's alleged failure to disclose a breach and its true impact on SolarWinds in a timely and accurate manner. The SEC contends that SolarWinds made materially false and misleading statements about the incident in its public filings and communications with investors.
In December 2020, SolarWinds revealed that it had fallen victim to a massive cyberattack, which led to unauthorized access to its Orion software updates in September 2019. This breach had far-reaching consequences, as it allowed the attackers to infiltrate numerous government agencies and major corporations.
The attackers were able to exfiltrate sensitive data and remain undetected for an extended period. SolarWinds' reputation took a substantial hit, and its stock price plummeted.
The allegations have sent ripples throughout the tech industry and raised serious questions about corporate governance and cybersecurity.
The fallout from the breach underscored the significance of robust cybersecurity practices and the need for greater transparency in the tech industry.
Nobody would have been surprised if this had been a CFO who had been cooking the books and misstating the accounting standard, or a chief people officer (CPO) who was covering up harassment complaints and lying about personnel reporting procedures.
This was a CISO who, it is alleged, deliberately misstated risks that were material to the operation of a public company. Cyber risk is as real as any other in its ability to damage the enterprise value of a company.
In the case of SolarWinds, one-third of its share price disappeared because of this attack, which could potentially have been prevented, and definitely should have been reported to investors, to give them a full and accurate picture of the risk profile of health of the company.
A lot of this is reflected in the new SEC rules on cyber reporting requirements, and simply shows that modern companies are hugely vulnerable to cyberattack. These risks are real and need to be declared.
As for past cyber practices, there needs to be a full and frank assessment of the seriousness of any errors and omissions, and in the same way as any other past mischaracterized risks have to be declare this is no different. I reiterate, cyber risks are real risks.