Bart Kalsu, Tim Brown Could Face Monetary Penalties, Public Company Officer Ban
The Securities and Exchange Commission accused SolarWinds CFO Bart Kalsu and CISO Tim Brown of violating securities laws in their response to a high-profile software supply-chain cyberattack in 2020.
The Austin, Texas-based IT infrastructure management vendor revealed late Friday that Kalsu and Brown are among “certain current and former executive officers and employees” targeted by the SEC for their role in responding to the Russian hack of the Orion network monitoring product. For each individual, SEC staff have recommending filing a civil enforcement action alleging violations of federal securities laws.
If the SEC proceeds with enforcement action, Kalsu, Brown or the others could face civil monetary penalties or an order barring them from serving as an officer or director of a public company. SolarWinds said in a shareholder filing that its disclosures, public statements, controls and procedures were appropriate, and that it plans to vigorously defend itself against any enforcement action.
“We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers,” a company spokesperson told Information Security Media Group. “Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.”
Back in October, the SEC alleged that SolarWinds itself violated federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures. But SolarWinds didn’t disclose until Friday that SEC staff were now recommending authorizing enforcement action against specific individuals in the company (see: SolarWinds May Face SEC Investigation Over Hack Disclosure).
Kalsu, Brown and other individuals within SolarWinds received a “Wells Notice” from SEC staff, which stops short of formally charging anyone with wrongdoing and allows the individual or company to contest the preliminary staff determination. Neither Kalsu nor Brown immediately responded to an ISMG request for comment.
“Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.”
– SolarWinds spokesperson
The SEC since 2011 has interpreted securities law as obligating companies to report risks and incidents, guidance it strengthened in 2018. Critics say the disclosures are typically cookie-cutter statements that that reveal little about actual challenges in cyberspace. Earlier this year the SEC proposed a second revision to require current reporting about material cybersecurity incidents.
Current, Former SolarWinds CEOs Not Specified as SEC Targets
SolarWinds has changed CEOs since the Russian foreign intelligence service injected a Trojan into the company’s Orion software updater, with ex-Pulse Secure CEO Sudhakar Ramakrishna starting as CEO in 2021. The CEO at the time of the attack was Kevin Thompson, who has since become CEO of continuous testing vendor Tricentis. SolarWinds didn’t indicate that Ramakrishna or Thompson got a Wells Notice.
Kalsu, 55, joined SolarWinds as vice president of finance in August 2007 and was promoted to his current role in April 2016. He previously spent two years as JPMorgan Chase’s vice president of commercial banking and three year as senior director of finance at Red Hat. Kalsu previously served on the board of directors of EP Energy and Athlon Energy.
Brown has been responsible for SolarWinds’ internal IT security, product security and security strategy since joining the company as CISO and vice president of security in July 2017. Prior to that, he spent five years as chief product officer at vulnerability risk management provider NopSec and four years as Dell’s executive director for security, where he viewed the portfolio from an internal and external standpoint.
Ramakrishna told ISMG in November that SolarWinds has in recent years done extensive work testing, validating and qualifying the integrity of the company’s source code. He said the company has stepped up its SOC capabilities and red-teaming programs to complement efforts to secure the company’s build process through static code analysis, pen testing and better understanding open-source vulnerabilities (see: SolarWinds CEO on How to Secure the Software Build Process).
“The image of SolarWinds itself has evolved quite drastically and dramatically,” Ramakrishna told ISMG in November 2022. “People in the past might have been skeptical about our secure by design work or our own competencies. But now, I routinely see customers, partners and others wanting to implement the techniques that we are using in their environment.”