(Bloomberg) -- The Securities and Exchange Commission alleged on Monday that SolarWinds Corp. defrauded investors by downplaying security risks ahead of a hack of its software that rippled through computer systems across the US government and corporate America.

Most Read from Bloomberg

The SEC also accused the top information security official at SolarWinds, Tim Brown, of breaking securities rules in a lawsuit filed in federal court in Manhattan. The action is the first time the regulator has sued a computer security executive for a cybersecurity-related issue.

The SolarWinds hack was among the worst cyber breaches in history, affecting hundreds of public companies and numerous government agencies. The motives behind the breach remain unclear. The US blamed Russia and sanctioned dozens of entities and officials for the hack. Russia denied any involvement.

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” SolarWinds said in a statement. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country.”

A lawyer for Tim Brown said his client performed his duties “with diligence, integrity and distinction.”

“Mr. Brown has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” wrote Alec Koch, an attorney at King & Spalding.

Story continues

Texas-based SolarWinds is exploring options including a potential sale, people familiar with the matter said last week.

Although the hack was disclosed in December 2020, Russian state-sponsored hackers breached SolarWinds networks as early as January 2019, according to investigations into the hack. When customers downloaded an update to a popular piece of SolarWinds software, they inadvertently installed a digital backdoor that allowed the hackers access to their networks.

The breach was considered particularly dangerous because of the sophisticated methods used by the attackers and because they lurked in victim’s networks for weeks or months undetected. However, many questions about the hacking campaign remain unanswered, including the types of data viewed or stolen by the attackers.

The SEC alleged that SolarWinds and Brown were warned of weak cybersecurity within the company but that they painted a far rosier picture to investors. The agency said that the company and Brown were regularly alerted to security deficiencies, with Brown writing in an internal presentation in 2018 that the “current state of security leaves us in a very vulnerable state for our critical assets.”

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Gurbir Grewal, the SEC’s enforcement chief, said in a statement.

--With assistance from Andrew Martin.

(Updates with company and SEC comments starting in fourth paragraph.)

Most Read from Bloomberg Businessweek

©2023 Bloomberg L.P.