Setting the Record Straight on the SEC and SUNBURST

Orinal source post by SolarWinds

Over the last week, we have appreciated that so many of our customers—joined by voices across the cybersecurity and IT communities—have expressed support for SolarWinds. We share their concerns that the SEC’s misguided complaint threatens to impair our industry’s collective security.

The SEC’s lawsuit is fundamentally flawed—legally and factually—and we plan to defend vigorously against the charges. While our full responses will be made through the legal process, we want to set the record straight early regarding some of the SEC’s key false claims—and share the real facts.

Through transparent communications with the industry and our ongoing Secure by Design efforts, we are pleased to have retained the trust of our customers while also gaining new customers in both the public and private sectors. The answers to the questions below are provided as part of our ongoing commitment to transparency.

The SEC alleges the company lacked adequate cybersecurity controls before the SUNBURST cyberattack. Is that true?

No—we categorically deny those allegations. The company had appropriate cybersecurity controls in place before SUNBURST. The SEC misleadingly quotes snippets of documents and conversations out of context to patch together a false narrative about our security posture.

That is precisely why we are fighting this case: the SEC is twisting the facts in an attempt to expand its regulatory footprint in the cybersecurity space. We intend to correct the record and push back on their overreach, as the SEC is provably wrong about the facts and lacks the authority or competence to regulate public companies’ cybersecurity.

What about the SEC’s allegations that the company did not follow the NIST framework?

The NIST allegations are a prime example of the SEC making inaccurate assertions by twisting the facts.

The SEC says that SolarWinds falsely claimed to follow the NIST Cybersecurity Framework (CSF). However, the supposed evidence for this claim is mainly a preliminary self-assessment from 2019 as to whether SolarWinds met an entirely different set of standards—those in NIST Special Publication (SP) 800-53 and FedRAMP. Further, this preliminary self-assessment was only for a small subset of SolarWinds products, which were unaffected by the SUNBURST cyberattack.

Whether SolarWinds met NIST SP 800-53 or FedRAMP requirements has nothing to do with whether it followed the NIST CSF. The SEC is mixing apples and oranges, underscoring its lack of cybersecurity expertise.

Elsewhere, the SEC’s complaint suggests that our 2019 NIST CSF scores in certain categories were “poor.” But our overall score in 2019 was a “3”—a strong score, as anyone familiar with NIST assessments understands. More importantly, the SEC fundamentally misunderstands what it means to follow the NIST CSF. The NIST CSF doesn’t have any minimum score requirements. It is a flexible assessment tool for companies to evaluate their cybersecurity risks and plan improvements. As the SEC’s complaint itself makes clear, SolarWinds used the NIST CSF to assess and improve its cybersecurity controls. That’s precisely what following the NIST CSF means.

Has the SEC found anything new about what caused the Russian SUNBURST cyberattack?

No. The SEC complaint does not identify how Russia was able to enter the SolarWinds environment. In fact, that is still unknown to this day. SUNBURST is widely regarded as one of the most sophisticated cyberattacks of all time, and it’s unfortunate that the SEC is laying blame for the attack at the feet of its victim.

What about the SEC’s claim that a VPN vulnerability contributed to SUNBURST?

There was no VPN “vulnerability.” Public and private sectors use VPN systems to support Bring Your Own Device (“BYOD”) policies that allow employees to connect their own devices to the company’s VPN using valid login credentials. Organizations worldwide depended on VPN connections to ensure access to necessary systems when workers went home during the pandemic. That widespread use continues today as workforces embrace hybrid work models.

SolarWinds maintained controls during the relevant timeframe designed to mitigate the risks from VPN access (such as restrictions on the scope of access available to unmanaged devices). The SEC’s assertion that the company lacked compensating controls is false.

Did SolarWinds hide information about its cybersecurity risks or the attack from its SEC filings?

Absolutely notSolarWinds’ disclosures were accurate both before and after the attack. 

Our regulatory filings before the attack clearly disclosed that, despite the company’s security controls, it was subject to the risk of a breach—including a state-sponsored attack like SUNBURST. This risk disclosure was comparable to those of leading U.S. technology companies. If our risk disclosure were considered inadequate, everyone’s risk disclosures would be inadequate.

While the SEC asserts in its complaint that SolarWinds should have disclosed more details about potential vulnerabilities, that is not the sort of information that belongs in disclosures to investors—as the SEC itself has previously recognized (for example, here at p. 11, or here at p. 134). While we dispute the SEC’s various allegations about supposed “vulnerabilities,” the suggestion in the SEC’s complaint that companies should essentially provide roadmaps to hackers in regulatory filings is illogical and dangerous.

SolarWinds promptly disclosed the SUNBURST attack a mere two days after learning about it. We fully acknowledged the seriousness of the incident, disclosing that up to 18,000 customers could be affected—even though this greatly overestimated the attack’s actual impact, as the number affected turned out to be approximately 100. SolarWinds provided mitigation recommendations as we disclosed the attack and followed with a software patch for customers just two days later. The notion that SolarWinds was trying to hide information about the attack from investors or customers is absurd.

SolarWinds responded to SUNBURST precisely the way the U.S. government seeks to encourage. We promptly and transparently disclosed the attack and cooperated extensively with law enforcement and intelligence agencies. The security community has widely praised our response. The SEC is trying to manufacture an issue where there is none.

Why do cybersecurity experts believe the SEC’s lawsuit will harm security?

The lawsuit threatens to harm security by pressuring companies to disclose sensitive security information in public filings and by chilling candid internal communications among security personnel.

If the SEC has its way, companies would be required to disclose detailed vulnerability information in public filings, which would not be useful to investors but would be useful to hackers looking for vulnerabilities to exploit. That is the very reason the SEC has previously advised companies that SEC rules do not require such disclosures. This lawsuit undermines that guidance and leaves public companies confused about how much they must disclose.

The SEC’s complaint also threatens to discourage CISOs and other cybersecurity personnel from candidly evaluating and discussing risks internally as is necessary for continuous improvement through identifying areas where security can be strengthened. If security personnel must constantly worry about their well-intentioned words and actions being mischaracterized in a false light and used as fodder for government charges, the result will be to drive good people from the industry and inhibit frank communication and sound decision-making about security issues.

We have heard from many in the cybersecurity community who share these concerns. It is abundantly clear that what the SEC is doing here is not how cybersecurity regulation should be done. The complexities of the SUNBURST attack and the challenges of protecting against such threats deserve to be viewed through the eyes of neutral, experienced cybersecurity experts.

This Blog Post contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding the enforcement action filed by the Securities and Exchange Commission against SolarWinds relating to the 2020 cyberattack (the “Cyber Incident”) and our ability to vigorously defend against the charges. The information in this Blog Post is based on management’s beliefs and assumptions and on information currently available to management. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties, and other factors that may cause actual results, performance, or achievements to be materially different from any future results, performance, or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to risks related to the Cyber Incident, including with respect to (a) numerous financial, legal, reputational and other risks to us related to the Cyber Incident, including risks that the incident, SolarWinds’ response thereto or litigation and investigations related to the Cyber Incident may result in the loss of business as a result of termination or non-renewal of agreements or reduced purchases or upgrades of our products, reputational damage adversely affecting customer, partner and vendor relationships and investor confidence, increased attrition of personnel and distraction of key and other personnel, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, and risks related to the impact of any such costs and liabilities resulting from the exhaustion of our insurance coverage related to the Cyber Incident, (b) litigation and investigation risks related to the Cyber Incident, including as a result of the civil complaint filed by the Securities and Exchange Commission against us and our current Chief Information Security Officer relating to the previously disclosed Wells Notices, including that we may incur significant costs in defending ourselves and may be unsuccessful in doing so, resulting in exposure to potential penalties, judgements, fines, settlement-related costs and penalties and other costs and liabilities related thereto, and (c) the possibility that our steps to secure our internal environment, improve our product development environment and ensure the security and integrity of the software that we deliver to our customers may not be successful or sufficient to protect against future threat actors or attacks or be perceived by existing and prospective customers as sufficient to address the harm caused by the Cyber Incident, and (d) such other risks and uncertainties described more fully in documents filed with or furnished to the U.S. Securities and Exchange Commission by SolarWinds, including the risk factors discussed in SolarWinds’ Annual Report on Form 10-K for the year ended December 31, 2022 filed on February 22, 2023, SolarWinds’ Quarterly Report on Form 10-Q for the quarter ended March 31, 2023 filed on May 4, 2023, SolarWinds’ Quarterly Report on Form 10-Q for the quarter ended June 30, 2023 filed on August 9, 2023 and SolarWinds’ Quarterly Report on Form 10-Q for the quarter ended September 30, 2023 that SolarWinds anticipates filing on or before November 9, 2023. All information provided in this Blog Post is as of the date hereof, and SolarWinds undertakes no duty to update this information except as required by law.

The post Setting the Record Straight on the SEC and SUNBURST appeared first on Orange Matter.

Leave a Reply