Trade friends of Timothy G. Brown, SolarWinds’ leader knowledge safety officer, expressed fear in a courtroom submitting this month that the Securities and Alternate Fee is making an attempt to carry Brown chargeable for public statements from the corporate that allegedly misled buyers about SolarWinds’ cybersecurity practices previous to its notorious 2020 cybersecurity breach.

From 2018 to 2020, earlier than he used to be named CISO and earlier than SolarWinds came upon the Sunburst assault, Brown wrote more than one personal memos to corporate executives and others expressing fear about SolarWinds’ cybersecurity posture. He mentioned in October 2018, as an example, that the corporate’s “present state of safety leaves us in an excessively susceptible state for our vital belongings.”

The SEC claims this presentations Brown knew SolarWinds’ public statements about its robust safety posture have been fraudulent. Thirty present and previous CISOs, together with the CISOs of Town Nationwide Financial institution of Florida and Axis Capital, mentioned in their very own transient filed Feb. 2 that the “alleged inadequacies” in SolarWinds’ public filings are “now not usually” the duty of CISOs like Brown, and pinning legal responsibility for them on him is counterproductive. The CISOs signed the transient of their private capacities, now not on behalf in their establishments.

“Legal responsibility underneath those theories empowers risk actors, chills interior communications about cyber-threats, exacerbates the already serious scarcity of cybersecurity pros, and deters collaboration between the non-public sector and the federal government,” the CISOs mentioned.

In the unique criticism from October, the SEC claimed Brown “defrauded SolarWinds’ buyers and consumers via misstatements, omissions, and schemes that hid each the corporate’s deficient cybersecurity practices and its heightened — and extending — cybersecurity dangers.”

A long way from claiming SolarWinds’ cybersecurity practices have been enough, Brown mentioned whilst investigating a Would possibly 2020 assault on a U.S. executive company that it used to be “very relating to” that the attacker will have been having a look to make use of SolarWinds’ Orion tool in greater assaults as a result of “our backends don’t seem to be that resilient.” Certainly, attackers have been already exploiting vulnerability in that very tool to penetrate more than one different U.S. companies.

However publicly, SolarWinds touted its safety practices in a observation on its web page that, the SEC alleged, incorporated more than one false claims concerning the corporate’s safety practices. Those statements incorporated that SolarWinds complied with a well known framework for comparing cybersecurity practices, used a protected building lifecycle, had robust password coverage and maintained excellent get entry to controls.

The SEC introduced proof that every of those statements have been false, and it additionally alleged Brown used to be known because the “proprietor” or “approver” of the general public statements in more than one corporate paperwork.

“We allege that, for years, SolarWinds and Brown unnoticed repeated crimson flags about SolarWinds’ cyber dangers,” mentioned Gurbir Grewal, director of the SEC’s department of enforcement, in October. “Quite than deal with those vulnerabilities, SolarWinds and Brown engaged in a marketing campaign to color a false image of the corporate’s cyber controls atmosphere, thereby depriving buyers of correct subject matter knowledge.”

Grewal mentioned the court cases in opposition to Brown and SolarWinds are designed to underscore a message to inventory issuers: “Enforce robust controls calibrated in your chance environments and stage with buyers about identified issues.”

However for his or her section, the 30 CISOs who filed this month’s transient mentioned the SEC’s try to “weaponize” Brown’s candid critiques “can’t be reconciled” with the insistence that Brown didn’t sufficiently warn senior executives of SolarWinds’ vulnerabile state.

A number of the different defenses the 30 CISOs who filed this month’s transient presented, one is that the SEC’s lawsuit in opposition to Brown threatens to cool interior discussions and candid self-assessments comparable to those who Brown presented internally.

“The SEC’s motion would give CISOs an incentive to chorus from candid verbal exchange for worry that an interior e mail or presentation supposed to fortify cybersecurity measures will likely be taken out of context through the SEC to assert {that a} CISO intentionally misled buyers,” the transient learn.

Legal professionals for Brown and SolarWinds mentioned closing month in a movement to push aside the SEC’s case in opposition to the corporate that the SEC’s concentrated on of Brown used to be “now not simplest unwarranted however inexplicable” as a result of Brown merely did his process, and “did it smartly.”

“Brown isn’t even imagined to have performed a job within the corporate’s chance issue disclosures, and there is not any behavior alleged remotely suggesting that he ever sought to mislead buyers,” the movement to push aside reads. “The SEC additionally fails to articulate any coherent principle of aiding-and-abetting legal responsibility in opposition to Brown.”