U.S. SECURITIES AND EXCHANGE COMMISSION
Litigation Release No. 25887 / October 31, 2023

Securities and Exchange Commission v. SolarWinds Corporation and Timothy G. Brown, No. 23-civ-9518 (SDNY filed Oct. 30, 2023)

SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures

The Securities and Exchange Commission today announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

As the complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”

The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.

SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.

The SEC’s complaint alleges that SolarWinds violated Section 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) and Rule 10b-5 thereunder; Section 17(a) of the Securities Act of 1933 (“Securities Act”); and Sections 13(a) and 13(b)(2)(B) of the Exchange Act and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15(a) thereunder; and that Brown violated and also aided and abetted SolarWinds’ violations of Section 10(b) of the Exchange Act and Rule 10b-5 thereunder, and Section 17(a) of the Securities Act; and that he aided and abetted SolarWinds’ violations of Sections 13(a) and 13(b)(2)(B) of the Exchange Act and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15(a) thereunder.

The SEC’s investigation was conducted by W. Bradley Ney, Lory Stone, and Benjamin Brutlag, with assistance from the Trial Unit’s Christopher Bruckmann and Kristen Warden, and was supervised by Carolyn M. Welshhans and Melissa R. Hodgman. The SEC’s litigation will be led by Mr. Bruckmann and Ms. Warden under the supervision of Melissa Armstrong.