The password example feels egregious, but keep in mind that the investigators spent months if not years combing through corporate records and are now showcasing the most embarrassing finds in the framing of their choice. I bet there's not a single company in the world where some engineer didn't at one point set up a dumb password as a part of some one-off integration. The job of the security team is to systematically track down stuff like that, but you never reach 100%. There are things you don't see.

What feels particularly weird here is that SolarWinds wasn't compromised by a Bulgarian cybercrime gang. They were compromised by a nation state. While the SEC is notionally focusing on other stuff, this is ultimately the company's original sin. How many businesses, no matter how strong their security posture, can really say that they're immune to that?

The problem is not being hacked. The SEC doesn't want companies to be hack proof or to force them to dump millions into security.

They want companies to be more transparent and honest with shareholders about their current security gaps and for them to report hacks in a timely manner. It's fine to be insecure but honest, what is never fine is lying to investors.

Bad investments are fine, bad investments pretending to be good ones aren't.

I'm not here to defend SolarWinds, and it's entirely possible that they were a "bad investment pretending to be a good one", but I have some issues with this framing.

First, contrary to your assertion, there is no doubt that they're in trouble because of getting hacked by a nation state (and dutifully disclosed it). This wasn't some routine audit, wasn't a whistleblower complaint. The only reason the SEC went after them is that they had the misfortune of falling prey to an attack that few other businesses could conceivably repel. So, I'm not sure that's sending a great message.

Second, the complaint isn't showing that the company brazenly and deliberately deceived investors. It's not that the SEC peeked under the hood, immediately realized this is messed up, and had to act. No, they spend months poring over every email - and all they came up with is not exactly a smoking gun. The whole complaint is basically "the company only made generic investor disclosures, but we found instances where specific employees pointed out more specific deficiencies."

Ignoring the one-sided narrative of the complaint, the actual quotes they have don't paint the picture of a deliberate conspiracy. They paint the picture of normal day-to-day communications where people sometimes say dumb things, blow things out of proportion to try to get resources, etc.

I think your stance is way more balanced, I was mostly speaking to what I believe is the message the regulator wants to send, regardless if it's fair in its essence. Thanks for balancing out the thread.

The thing that was so egregious about Solarwinds is that, given their line of business, they were obvious targets for nation state actors. This is similar to any business that itself is a supplier of highly privileged software to large numbers of clients (e.g. password managers or cloud providers are in the same boat).

And while the password example could have been a one-off, everything I've read about Solarwinds says they had a horrendously bad security culture. Bad security cultures are essentially unfixable without a top-down, CEO-driven initiative that places real carrots and sticks for individuals' security posture. Even then, 95% of these initiatives are bullshit, because they boil down to "Security is our top priority! Oh also if we miss our revenue targets a bunch of people are getting fired."

I think the CISO's actions were pretty bad, but I also think there are lots of other execs at Solarwinds who are quite happy he's now the sacrificial lamb.

Nation states like anyone else have budgets. No company is immune to the full weight of a major nation state but most of the time that is not brought to bear. You don't need to be impossible to hack, you just need to be hard enough that the value provided is less than the effort required.

Still a pretty tall order, but a few steps down from impossible.

Isn't this a "I don't have to be fast, just faster than you" scenario when a bear is chasing you and all your peers?

There's always going to be a curve and if anyone on the front side of the bell curve is below the threshold for "worth the effort" then this seems like a useless goal. I agree with other posters that this is more about transparency.