Resources Blog How the SEC charges against SolarWinds highlight the ...

How the SEC charges against SolarWinds highlight the cybersecurity liability of software companies

On October 30, 2023, the Securities and Exchange Commission (SEC) filed a civil complaint against SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for violating federal securities laws by making false and misleading statements about its cybersecurity practices and known risks.

The complaint alleges that SolarWinds failed to disclose material information about its security vulnerabilities, its remediation efforts, and the impact of the breach on its business. The complaint also cites internal communications that showed that SolarWinds’ employees were aware of the company’s poor security posture. For example, one employee wrote in an email: "We’re so far from being a security minded company."

SolarWinds attacked

The primary issues stem from the massive cyberattack that compromised SolarWinds’ Orion software, which is used for network management and monitoring, in 2019. The hackers inserted malicious code into Orion’s software updates, which allowed them to access the systems of Orion’s customers, including several government agencies and private organizations. The breach, referred to as Sunburst, was one of the worst cyber espionage incidents in US history and exposed sensitive data and national security secrets.

The SEC’s lawsuit marks an evolution in holding software companies and their leadership accountable for fraud and internal control failures relating to cybersecurity risks and vulnerabilities. It signals the next step in the US’s approach to improving cybersecurity. And should provide a warning to other software companies that they need to take cybersecurity seriously or face legal consequences.

Increasing liability

Among a number of accusations, the complaint highlights the importance of duty of care and standard of care software companies have hidden from via complex End User License Agreements and other mechanisms for too long. By allegedly failing to disclose and address its cybersecurity risks and vulnerabilities, SolarWinds may have breached its duty of care and standard of care to its customers and investors. This may expose SolarWinds to civil liability for damages caused by the breach, as well as regulatory sanctions and penalties by the SEC and other authorities.

Sonatype’s Chief Technology Officer Brian Fox commented, “The SEC’s lawsuit against SolarWinds shows that the administration is cracking down on security lapses. The software industry can’t ignore cyber risk anymore. Food and auto manufacturing learned the hard way that liability and due care standards can change. Our industry will face the same. Those who learn from history will thrive.”

The case against Uber

The lawsuit against SolarWinds is the most significant action taken against a public company since the case against Uber in 2016. While the SEC was not involved, the US government, specifically the Department of Justice (DOJ), charged  Uber’s former chief security officer, Joseph Sullivan, with obstruction of justice and concealing his role in covering up the 2016 data breach that affected 57 million users and drivers.

In Sullivan’s case, instead of reporting the breach to the authorities and the affected parties, as required by law, Uber paid $100,000 to the hackers to delete the data and keep quiet. The case was the first of its kind to prosecute a corporate executive over a breach by outsiders. It also highlighted the importance of cybersecurity for software companies and their legal and ethical obligations to their customers and society.

Sullivan was convicted by a federal jury on October 5, 2022, and faced up to eight years in prison. While Sullivan only served 6 months of that potential sentence, the judge acknowledged he wanted to send a message to other corporate executives that they should not conceal data breaches. Therefore, the judge decided to sentence Sullivan to three years of probation and a $50,000 fine, instead of prison time.

Increased scrutiny under the national cybersecurity strategy

The SEC’s lawsuit and the Uber hacking case show the US’s increasingly strict posture. Both also highlight growing alignment with the Executive Order on Improving the Nation's Cybersecurity and the National Cybersecurity Strategy issued by President Biden in 2021 and 2023 that include:

  • Removing barriers to sharing threat information between government agencies and service providers
  • Modernizing federal information systems and adopting zero-trust architecture
  • Improving the security and integrity of the software supply chain
  • Establishing a cyber safety review board
  • Developing standards, tools, best practices, and guidelines for software security
  • Promoting innovation and investment in emerging technologies
  • Strengthening international cooperation and norms of responsible state behavior
  • Holding malicious cyber actors accountable

Sonatype can help

Software companies can avoid many of the issues that SolarWinds and Uber face by using Sonatype products. Sonatype is a leader in software supply chain management and security, offering solutions that help software companies manage, secure, and optimize their open source components and dependencies. By following these measures, software companies can not only avoid legal liability and reputational damage but also enhance their competitive advantage and customer loyalty. Cybersecurity is not a cost or a burden but a necessity and growing requirement of evolving legislation aimed to hold software organizations responsible for their actions in the US and around the world.

Some of the Sonatype products that can help software companies improve their cybersecurity are:

  • Sonatype Repository Firewall: This product blocks malicious open source components at the door, preventing them from entering the software supply chain and compromising the software quality and security. It also provides real-time alerts and remediation guidance for known vulnerabilities or license risks in the open source components.
  • Sonatype Nexus Repository: This product enables software companies to build faster with centralized components, reducing duplication and waste. It also supports multiple languages and formats, such as Java, Python, Ruby, Docker, and Helm, and integrates with popular tools like GitHub, Jenkins, and Jira.
  • Sonatype Lifecycle: This product helps software companies control open source risk across their software development lifecycle (SDLC), from development to deployment. It scans the codebase for any security or license issues, provides actionable insights and recommendations, and enforces policies and standards for software security.

Sonatype products are trusted by over 2000 organizations and 15 million developers worldwide. If you are interested in learning more about Sonatype products and pricing, check out our website or request a demo.

Picture of Jeff Wayman

Written by Jeff Wayman

Currently in his second tour at Sonatype, Jeff is our resident Conduit of Goodness, helping bridge gaps across teams to improve developer relations, content strategy, and brand awareness. In the past, he served and led teams across product management, technical writing, and customer education. When not writing about cybersecurity and open source software, you can find him outside (likely in the humid southeast) enjoying time with his family.