The Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cybersecurity practices leading up to the Sunburst attack discovered in December 2020. 

The SEC on Monday alleged the company overstated its cybersecurity practices and failed to disclose known risks from October 2018 up to at least the Sunburst attack. 

Public statements from the company contradicted internal assessments, including a 2018 assessment by a company engineer, shared with Brown and others, showing the company’s remote access setup was “not very secure,” the SEC complaint said.

An internal document shared with Brown and others in September 2020 stated the volume of security issues “identified over the last month” outstripped the engineering team’s capacity to resolve, according to the SEC.

SolarWinds also made an incomplete disclosure in a Dec. 14, 2020 filing on form 8-K, the SEC said. The company’s stock dropped by 25% over the next two days. 

SolarWinds disputed the charges in a statement. 

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” the company said in a statement. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country.” 

The charges follow a notification the SEC sent in June that informed the company and Brown of possible action as a result of the investigation.