The legal and regulatory challenges facing SolarWinds — the IT management company that was at the heart of a 2020 software supply chain attack that compromised at least nine federal agencies and 100 private companies — have changed substantially over the past week as old threats have diminished and new ones have emerged.
On Oct. 28, the company settled a class-action lawsuit filed last year by shareholders against SolarWinds, several top executives and their two main private equity owners in the wake of the Orion breach. In the suit, lawyers representing the class argued that the company had neglected its internal cybersecurity in the years proceeding the breach and misled the public about the state of its digital security in public filings to the Securities and Exchange Commission and in media interviews.
The settlement, which lawyers from both sides are working to process and finalize by Dec. 8, will result in the company paying $26 million to a class of shareholders who purchased stock during the affected period.
“The proposed settlement resolves all claims asserted against the Company and the other named defendants in connection with the class action litigation and would contain provisions that the settlement does not constitute an admission, concession, or finding of any fault, liability, or wrongdoing of any kind by the Company or any defendant. There can be no assurance that the final settlement agreement will be executed or that such agreement will be approved by the court,” the company wrote in an SEC filing dated Nov. 3.
At the same time, SolarWinds revealed that it may soon be the subject of federal regulatory action regarding the breach, as the company was issued a “Wells Notice” by the SEC the same day indicating enforcement action may be forthcoming.
“The Wells Notice states that the SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures,” the filing reads.
The notice comes after SEC Commissioner Gary Gensler forecasted intentions to take a more robust regulatory role scrutinizing the cybersecurity practices of publicly traded companies as data breaches, ransomware attacks and other incidents resulted in billions of dollars of losses and damages to companies and their customers. The commission has already voted to require investment advisors and investment companies to report cybersecurity incidents and major breaches to the agency and is looking to expand that rule to all publicly traded companies.
SC Media has reached out to a public relations firm representing SolarWinds for comment on both developments. The company has consistently denied any wrongdoing and in previous court filings argued that many of the public filings cited by shareholders in the lawsuit actually demonstrate that the company was more than forthcoming about the reality SolarWinds and many other businesses face around possible cybersecurity breaches, while warning stockholders in multiple ways that an incident could have a negative effect on the company’s business, stock price and reputation.
In an earnings call with investors Nov. 3, CFO Barton Kalsu mentioned the settlement, saying it would be covered through insurance and alluded to "ongoing government investigations."
"We are happy to announce that last week, we agreed to settle our securities class action lawsuit pending in the Western District of Texas for an amount that will be covered by insurance," Kalsu said, according to a transcript of the call obtained from Seeking Alpha. "While we still have ongoing government investigations related to cyber matters, and we'll continue our approach of transparency and collaboration, having resolved this litigation will enable the company to focus on our strategy."
The settlement ends a nearly two-year legal battle between SolarWinds and its stockholders over whether the company had inaccurately conveyed its security shortcomings and therefore improperly boosted its stock price. It also forgoes the need for a trial and lengthy discovery process that could have led to further embarrassing revelations.
The lawsuit named a number of individuals and parties — including former CEO Kevin Thompson and private equity firms and majority stockholders Thoma Bravo and Silver Lake Partners — all of whom sold millions of dollars in SolarWinds stock shortly before the breach was disclosed. A judge later refused a request by SolarWinds to dismiss the lawsuit, but removed Thompson from the list of defendants after determining that alternative explanations for the stock sale (namely that it was part of a pre-established plan as Thompson exited the company and not related to the breach) were at least plausible.
The lawsuit was closely watched as a test case of sorts for what, if any, legal liability SolarWinds might face in the wake of one of the most consequential software supply chain cyberattacks in history.
The breach, which was eventually attributed to the Russian SVR, corrupted a legitimate update from SolarWinds Orion software, which was broadly used within government and private industry. First discovered by Mandiant (also a victim) the update was downloaded by at least 18,000 SolarWinds customers, though the campaign is thought to have been far more targeted in nature, with Biden administration officials saying last year that it believed that up to nine federal agencies and 100 companies were actually exploited through the flaw.