美国证券交易委员会指控太阳风和首席信息安全官蒂莫西·布朗误导投资者

美国.S. Securities and Exchange Commission (SEC) has charged SolarWinds and CISO Timothy Brown with allegedly misleading investors on SolarWinds’ cybersecurity practices and controls.

的 SolarWinds黑客 captured headlines in 2020 and stands as one of the largest cybersecurity breaches in history. 这次大规模的数据泄露导致了全球供应链事件，影响了30多家公司,000个组织, 包括联邦国土安全部, 正义, 能源, 财政部和商务部, 以及微软和思科等全球性公司.

美国.S. government officially named the Russian Foreign Intelligence Service as the perpetrator but also hinted that charges would be levied against SolarWinds executives for their role in the breach. 上周一，SEC正式对这种投机行为提出指控 太阳风和蒂莫西·布朗 :

• Violating the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934 (Brown and SolarWinds).
• Violating reporting and internal controls provisions of the Exchange Act (SolarWinds).
• 协助和教唆公司的违法行为(布朗).

的 SEC believes that SolarWinds knew about the specific vulnerabilities and poor cyber controls but chose to ignore them between their initial public offering in October 2018 and the December 2020 announcement of the hack.

的 投诉称 that SolarWinds’ public 声明s about their cybersecurity practices and risks were at odds with its internal assessments, including an internal report from a company engineer in 2018 citing vulnerability concerns, 而且他们 的阳光 披露报告本身并不完整. 

SEC还认为，布朗故意误导投资者 没有公开披露所谓的网络安全故障 在违约之前, including false claims that “SolarWinds had a strong password policy and strong access controls despite maintaining weak controls 多年来 that granted employees administrative access”.

Perhaps the most damaging allegation is that Brown acknowledged the backends of SolarWinds’ Orion software were not resilient and knew about previous attacks on it, which was the exact software the malicious code was deployed into that caused the historic 2020 breach. 

诉状寻求“永久性禁令救济”, 带有预先判断的兴趣的贬损, 民事处罚, 以及一名官员和一名董事反对布朗。”. 这种情况是独特的，因为 原因如下包括，这是SEC首次:

• 在网络案件中起诉个人.
• 指控一个组织企图欺骗投资者.
• Alleged a company knowingly had internal control failures for safeguarding themselves.

“我们这么说, 多年来, SolarWinds和Brown忽视了关于SolarWinds网络风险的反复警告, 哪些是全公司众所周知的,” Gurbir Grewal，证券交易委员会执法部门主任. “而不是解决这些漏洞, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, 从而剥夺了投资者获得准确的重要信息的权利.”

SolarWinds发表声明反驳SEC的指控，称这些指控毫无根据. 的 声明 also confirmed they will be fighting the charges in court and reinforced their full support of Brown, 写这篇文章的时候，谁还是他们的代理首席信息安全官.  

证券高管应该担心SEC对太阳风公司的指控吗?

在理论上, 安全管理人员不应担心因事件而受到指责, 前提是, 尽其所能, 他们对董事会是诚实的, 公众(如适用), 监管机构和投资者.

最重要的是, they must adhere to federal disclosure laws and reporting requirements – which the SEC believes were intentionally not followed in this case and is the basis for the complaint.

的 last time a security professional was charged in connection with a cybersecurity incident was after Uber’s 2016 data breach. 时任优步首席安全官的乔·沙利文(Joe Sullivan)被指控 妨碍司法公正 获奖理由是“故意隐瞒”, 转移, 并就违规行为误导联邦贸易委员会.”

It is important to remember that these charges weren’t brought because the attack happened but because the SolarWinds and Brown allegedly knew about vulnerabilities and incidents and knowingly chose to mislead investors and give incomplete disclosures.

So, while many headlines may push the idea that CISOS and CSOs are being scapegoated for cyber-attacks, this case demonstrates that their legal liability is actually based on alleged personal actions, 投资者沟通和公开声明, 同时也要遵守联邦信息披露法，这些法律只会 更严格的 在公共部门.

另一方面, 鉴于美国证券交易委员会和美国联邦贸易委员会最近的审查, there is a case to be made that security executives should be concerned about both how they’re presenting their company’s cybersecurity practices internally and publicly and, 更重要的是, 监管机构如何看待这些案件中的责任负担. If you consider how often public policies don’t align with the internal reality of an organization, 你可以看到一些人对这个案子的担忧.

如果CISO或CSO真诚地努力建立, 记录和执行网络安全控制和实践, 但它们并没有被强制执行, 只有首席信息安全官或首席信息安全官被问责公平吗? 还是应该把责任推给公司?  

的 more complex question may perhaps be: how can organizations better support their security executives in the increasingly complicated landscape of regulatory oversight, 信息披露要求, investor demand and federal law to prevent a situation such as this from happening in the first place?

你觉得呢?? 请在 (电子邮件保护).

关于施耐德唐斯网络安全

的 Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, 包括渗透测试, 入侵防御/检测审查, ransomware安全, 脆弱性评估和一个健壮的数字取证和事件响应团队. 此外，我们的 数字取证和事件响应 teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

要了解更多信息，请访问我们专门的 网络安全 页面.

想要了解情况? 订阅我们的双周通讯， 关注网络安全.