Solarwinds
The private equity firms who owned SolarWinds at the time of a supply chain compromise were added as defendants in a class action lawsuit brought by shareholders. (“SolarWinds letters” by sfoskett at https://www.flickr.com/photos/[email protected]N04/16100325080 is licensed under CC BY-NC-SA 2.0)

A class action lawsuit brought by SolarWinds shareholders following last year’s supply chain compromise of the company’s Orion management software added two new defendants: the private equity firms who owned the company and sold hundreds of millions of dollars in stock just days before the hack was publicly disclosed.

In a new consolidated complaint filed in a Texas district court, lawyers for the class argue that private equity firms Thoma Bravo and Silver Lake Partners and their business strategies played central roles in the cybersecurity deficiencies and lack of investment that led to the Orion hack. The lawsuit and its claims highlight the role that top-down, short-term business strategies from investors, particularly in the private equity space, can play in the cybersecurity investments that companies make.

Thoma Bravo and Silver Lake Partners combined owned approximately 80% of SolarWinds stock during the same time period that a group of hackers – believed to be working on behalf of Russia’s Foreign Intelligence Service (SVR) – compromised Orion’s build server and pushed a malicious software update to more than 18,000 SolarWinds customers. Further, Silver Lake managing partner Kenneth Hao, managing director Mike Bingle and two of its directors sat on SolarWinds board of directors, as did Thoma Bravo’s senior operating partner James Lines, managing partner Seth Boro and principal Mike Hoffman.

On Dec. 7, less than a week before the incident was disclosed to the public, Thoma Bravo sold $256 million in stock, while Silver Lake similarly dumped $203 million the same day. Following the disclosure, the price of SolarWinds’ stock per share dropped from $23.55 on Dec. 11 to just $14 on Dec. 18. As of June 1, the price sits at $16.32 per share and since then, it has never risen higher than $18.54. A number of other executives at the company, including former CEO Kevin Thompson, also sold millions in personal company stock in the month before the hack went public.

“All told, over the course of just a few days, the Company’s share price plummeted 34%,” lawyers for the class wrote. “Meanwhile, Defendants profited handsomely. From the beginning of the Class Period, Defendants reaped $730 million in proceeds from their sale of SolarWinds stock, including through the private equity firms’ sale of over $450 million in their own stock less than seven days before the initial disclosures that caused investors substantial losses.”

The suit also argues that SolarWinds’ security posture leading up to the hack was substantially weakened by budget decisions and lack of investment in security, decisions it ties directly to the business model pursued by both Thoma Bravo and Silver Lake. Both firms, the suit claims, are known for their “take-private, then public” strategies towards business acquisition, a multi-step process by which they identify and acquire “an undervalued company with revenue growth opportunities,” offload the debt from their purchase onto the acquired company, cutting costs and growing revenues before going public again and reaping the profits.

This is the same strategy they employed with SolarWinds, the suit argues. Following their acquisition of the company, the firms added $2 billion in debt onto SolarWinds’ ledgers, went private, “aggressively cut costs outside of the public shareholders’ view” and then went public again in 2018.

“Former employees have recounted how Defendant Thompson and the private equity firms that controlled SolarWinds sacrificed cybersecurity to boost short-term profits,” lawyers for the class wrote.

SC Media has reached out to both Thoma Bravo and Silver Lake for comment but has not received a response at press time.

The lawsuit also alleges that many of the cybersecurity practices advertised by SolarWinds in public comments and filings were either non-existent or served as window dressing to pump up the stock price. In particular, the suit points to a number of cybersecurity claims outlined on the company’s security statement posted on its website that the company had a dedicated security team, information security policy, security focused trainings for employees, a password policy, segmented its networks, conducted background checks on employees and limited user authorization.

Multiple former employees, including the company’s former global cybersecurity strategist Ian Thornton-Trump, told lawyers for the class that virtually none of these claims were true and that SolarWinds failed to follow “a host of basic security practices.” Thornton-Trump said he resigned from his position after company executives failed to heed the warnings and his security recommendations.

Multiple lawsuits from shareholders were filed against the company at the beginning of the year and were eventually merged into a consolidated class action in March.