3rd Party Risk Management , Governance & Risk Management , Standards, Regulations & Compliance

SEC Alleges SolarWinds CFO, CISO Violated US Securities Laws

Bart Kalsu, Tim Brown Could Face Monetary Penalties, Public Company Officer Ban
SEC Alleges SolarWinds CFO, CISO Violated US Securities Laws

The Securities and Exchange Commission accused SolarWinds CFO Bart Kalsu and CISO Tim Brown of violating securities laws in their response to a high-profile software supply chain cyberattack in 2020.

See Also: Cyber Insurance Assessment Readiness Checklist

The Austin, Texas-based IT infrastructure management vendor revealed late Friday that Kalsu and Brown are among "certain current and former executive officers and employees" targeted by the SEC for their role in responding to the Russian hack of the Orion network monitoring product. For each individual, SEC staff have recommending filing a civil enforcement action alleging violations of federal securities laws.

If the SEC proceeds with enforcement action, Kalsu, Brown or the others could face civil monetary penalties or an order barring them from serving as an officer or director of a public company. SolarWinds said in a shareholder filing that its disclosures, public statements, controls and procedures were appropriate, and that it plans to vigorously defend itself against any enforcement action.

"We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers," a company spokesperson told Information Security Media Group. "Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure."

It’s unusual for a CISO to receive a Wells Notice, and this SEC move could signal a whole new set of potential liabilities for CISOs, Equifax CISO Jamil Farshchi wrote in a LinkedIn post on Monday. Usually, a Wells Notice names a CEO or CFO for issues such as Ponzi schemes, accounting fraud or market manipulation, but those are unlikely to apply to a CISO, he said.

Farshchi speculated that the notice might be related to "a failure to disclose material information - things like failing to disclose the gravity of an incident or failing to do so in a timely manner could conceivably fall into this category," he said, adding that it's too early to know if any action will follow the Wells Notice.

"But if this is about disclosure, it shows the SEC isn’t sitting around waiting for cyber regs to be issued," he added. "They’re taking action today."

In October, the SEC alleged that SolarWinds violated federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures. But SolarWinds didn't disclose until Friday that SEC staff are now recommending authorizing enforcement action against specific individuals in the company (see: SolarWinds May Face SEC Investigation Over Hack Disclosure).

Kalsu, Brown and other individuals within SolarWinds received a "Wells Notice" from SEC staff, which stops short of formally charging anyone with wrongdoing and allows the individual or company to contest the preliminary staff determination. Neither Kalsu nor Brown immediately responded to an ISMG request for comment.

The SEC since 2011 has interpreted securities law as obligating companies to report risks and incidents, guidance it strengthened in 2018. Critics say the disclosures are typically cookie-cutter statements that reveal little about actual challenges in cyberspace. Earlier this year the SEC proposed a second revision to require current reporting about material cybersecurity incidents.

Current, Former SolarWinds CEOs Not Specified as SEC Targets

SolarWinds has changed CEOs since the Russian foreign intelligence service injected a Trojan into the company's Orion software updater. Former Pulse Secure CEO Sudhakar Ramakrishna started as CEO in 2021. The CEO at the time of the attack was Kevin Thompson, who has since become CEO of continuous testing vendor Tricentis. SolarWinds didn't indicate that Ramakrishna or Thompson got a Wells Notice.

"Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure."
– SolarWinds spokesperson

Kalsu, 55, joined SolarWinds as vice president of finance in August 2007 and was promoted to his current role in April 2016. He previously spent two years as JPMorgan Chase's vice president of commercial banking and three year as senior director of finance at Red Hat. Kalsu previously served on the board of directors of EP Energy and Athlon Energy.

Brown has been responsible for SolarWinds' internal IT security, product security and security strategy since joining the company as CISO and vice president of security in July 2017. Prior to that, he spent five years as chief product officer at vulnerability risk management provider NopSec and four years as Dell's executive director for security, where he viewed the portfolio from an internal and external standpoint.

Ramakrishna told ISMG in November that SolarWinds has in recent years done extensive work testing, validating and qualifying the integrity of the company's source code. He said the company has stepped up its SOC capabilities and red-teaming programs to complement efforts to secure the company's build process through static code analysis, pen testing and better understanding open-source vulnerabilities (see: SolarWinds CEO on How to Secure the Software Build Process).

"The image of SolarWinds itself has evolved quite drastically and dramatically," Ramakrishna told ISMG in November 2022. "People in the past might have been skeptical about our secure by design work or our own competencies. But now, I routinely see customers, partners and others wanting to implement the techniques that we are using in their environment."

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.