The CFO of software provider SolarWinds appears to be personally off the hook — at least for now — in a cybersecurity-related complaint brought against the company by the Securities and Exchange Commission.
The SEC lawsuit, announced Monday, claims that Austin, Texas-based SolarWinds and its chief information security officer, Timothy Brown, defrauded investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020.
But the company’s CFO, J. Barton Kalsu, was not named, despite the fact that he was put on notice during the agency’s investigation. “While the SEC didn’t subsequently bring charges against the CFO along with the company and the CISO this time, it doesn’t completely close the door on them bringing charges down the road,” Lenin Lopez, an attorney specializing in corporate governance and securities law at insurance brokerage firm Woodruff Sawyer, told CFO Dive in an email. “That said, based on the facts associated with this case, I would be inclined to believe that the CFO won’t be finding himself on the receiving end of formal SEC charges.”
The case highlights an increasingly high-stakes regulatory and legal environment for C-suite executives when it comes to cybersecurity.
The former chief security officer of Uber was convicted last year of covering up a data security breach while his firm was under investigation by the Federal Trade Commission for prior cybersecurity lapses.
SolarWinds in late June disclosed that both Kalsu and Brown received so-called Wells notices from the SEC indicating the regulator had made a preliminary determination to recommend “a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.”
In July, the SEC raised the stakes further, adopting new rules requiring public companies to disclose “material cybersecurity incidents” to the agency within four days of determining that such a breach has occurred.
Generally, in cybersecurity cases like the one brought against SolarWinds, the facts determine who might be held liable, according to Peter Swire, senior counsel on the privacy, cybersecurity and data strategy team at law firm Alston & Bird.
“For instance, sometimes there is a smoking gun email that shows the author knew about the problem but decided to hide it,” Swire said in an email. “That kind of evidence can show intent to evade the law, and prosecutors are more likely to charge such a person.”
From at least October 2018, the time of SolarWinds’ initial public offering, through at least December 2020, when the software provider announced that it was the target of a massive, nearly two-year long cyberattack, dubbed “Sunburst,” the company overstated its cybersecurity practices and understated or failed to disclose known risks, according to the suit, which was filed in the Southern District of New York and alleges violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.
In its filings with the SEC during this period, SolarWinds misled investors by disclosing only “generic and hypothetical risks” at a time when it knew of specific deficiencies in its cybersecurity practices as well as the increasingly elevated risks the company faced at the same time, according to the complaint.
Brown, 59, was responsible for the overall security program at SolarWinds throughout the relevant period, the agency said. He also signed sub-certifications attesting to the adequacy of SolarWinds’ cybersecurity internal controls, which company executives relied on in connection with reports that were filed with the SEC, it noted.
SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, the commission asserted. The presentation indicated that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.
In addition, the agency cited presentations by Brown revealing that SolarWinds’ level of security left the company “in a very vulnerable state for our critical assets” and that access and privilege to critical systems and data was “inappropriate.”
On top of that, multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks, the SEC said.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Gurbir Grewal, director of the SEC’s Division of Enforcement, said in a press release.
While the CFO was previously put on notice that he could face charges, there appears to be no indication so far that he was “in the weeds” of cybersecurity-related decisions, according to Lopez.
“In his defense, the CFO would likely point to having relied on the CISO’s allegedly fraudulent, misrepresented sub-certifications,” Lopez said.
SolarWinds has denied the SEC’s charges, calling them “unfounded.”
“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country,” a company spokesperson said in an emailed statement. “We look forward to clarifying the truth in court.”
King & Spalding attorney Alec Koch, who is representing Brown, told CFO Dive in an email that his client has performed his responsibilities at SolarWinds — both as vice president of information security and later as CISO — “with diligence, integrity, and distinction.”
“Mr. Brown has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” said Koch, whose specialties include representing public companies and individuals in securities enforcement and anti-corruption investigations.
A SEC spokesperson didn’t immediately respond to a request for comment.