(Updates with details from the complaint in paragraphs 3-4 and 5-6, background on hack in paragraphs 10-11)

NEW YORK, Oct 30 (Reuters) - The U.S. Securities and Exchange Commission (SEC) on Monday sued SolarWinds Corp and its top cybersecurity executive, saying they misled investors and the public over weaknesses amid a high-profile hack targeting the U.S. government.

The SEC filed its lawsuit in Manhattan federal court, accusing SolarWinds and its chief information security officer (CISO), Timothy Brown, with repeatedly violating U.S. securities laws by failing to disclose vulnerabilities and cyber events in regulatory filings and other company statements.

The lawsuit appears to be the first time the SEC has sued a firm that has been victim of a cyberattack. It has typically charged public companies for inadequate security or misleading disclosures over hacks and data breaches.

SolarWinds slammed the SEC's allegations, saying it would fight the charges in court.

"The SEC's determination to manufacture a claim against us and our CISO is another example of the agency's overreach and should alarm all public companies and committed cybersecurity professionals across the country," it said.

Shares of SolarWinds dropped more than 3% in after-market trading following the filing of the lawsuit.

The SolarWinds hack, the outlines of which were first reported by Reuters, was one of the most sweeping cyber intrusions ever discovered. By subverting the company's software, hackers were able to use SolarWinds' flagship network management software - Orion - as a springboard into U.S. government networks and international targets.

Several government departments were compromised, including State, Treasury, Homeland Security, Commerce and Energy. The full consequences of the breach, some hidden behind layers of classification, are still unknown.

Regulators found SolarWinds misled the public about repeated cybersecurity risks it was experiencing from as early as its initial public offering in 2018 through its first disclosure about the attack in December 2020, the SEC said.

SolarWinds and Brown internally discussed known risks and vulnerabilities but painted a starkly different portrayal of its cybersecurity to the public, regulators said.

Several times before December 2020, customers including a federal agency notified SolarWinds of malicious activity on the firm's flagship software. The firm did not amend its public statements in the face of the red flags, the SEC said.

According to the SEC's court filing, the issues prompted one SolarWinds employee to say in October 2020: “ e’re so far from being a security minded company. very time I hear about our head geeks talking about security I want to throw up." (Reporting by Jonathan Stempel and Chris Prentice in New York; Additional reporting by Raphael Satter in Washington; Editing by Marguerita Choy and Tom Hogue)