Chicago in the crosshairs3/28/2024 ![]() ![]() ![]() The SEC says that security assessments SolarWinds performed showed it was far from compliant with NIST. For example, the Security Statement claimed SolarWinds followed security standards published by the National Institution of Standards and Technology (NIST). The SEC points to documents and communications it alleges show an awareness at the time by people at SolarWinds that these representations were not true, including internal communications suggesting that the Security Statement itself was false. The SEC is specific about a few areas where it alleges SolarWinds committed violations: (1) secure development lifecycle (2) password management and (3) least access privilege. The SEC’s complaint cites to numerous presentations and internal emails and chats where employees made multiple statements that directly contradicted the Security Statement, which contained detailed information about SolarWinds’ data security practices. The SEC identifies three areas where SolarWinds and the CISO allegedly made materially false statements about information security: (1) in a Security Statement on SolarWinds’ website (2) in publicly filed Forms S-1 and 10-K and 10-Q and (3) in the 8-K filed after the December 2020 disclosure of the security vulnerability. This is a serious problem for CISOs generally, as it puts them directly and personally in the crosshairs of a regulatory agency with the authority to both fine them personally and prevent them from ever holding a senior position within any public company. The SEC’s complaint names SolarWinds and its CISO as defendants. The Microsoft president said it was “the largest and most sophisticated attack the world has ever seen.” Complaint Allegations The attack, which persisted for months without being detected, affected 18,000 customers, including U.S. ![]() In December 2020, SolarWinds, a software security company, publicly announced that its Orion product was the target of a large-scale attack later attributed to a Russian-government-backed hacking group. This move is the latest in a series of steps taken by the SEC to flex its muscles in regulating data security. The SEC alleges SolarWinds and its CISO committed securities fraud in connection with multiple public disclosures about its cybersecurity practices, including the form 8-K disclosing the incident. 30, the SEC filed a securities fraud complaint targeting SolarWinds’ CISO in the wake of their major December 2020 data security incident. In a Halloween-eve move sure to send shivers down the spines of every public company’s CISO, on Oct. The SEC complaint, filed in the Southern District of New York, alleges the CISO violated the anti-fraud provisions of the Securities Act of 1933 and Securities Exchange Act of 1934, and seeks permanent injunctive relief, disgorgement, civil penalties and an office and director bar against him.According to the SEC, SolarWinds’ public statements about its cybersecurity practices and risks did not square with internal assessments shared with the CISO, as well as the CISO’s own presentations about the company’s cyber vulnerabilities. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |