SolarWinds’ chief financial officer and chief information security officer have been told they—along with the company—could face civil enforcement action in the wake of the notorious 2020 Orion breach.
In a Securities and Exchange Commission filing on Friday, SolarWinds said “certain current and former executive officers and employees, including the Company’s Chief Financial Officer and Chief Information Security Officer” had received “Wells Notices” as part of the SEC’s investigation into the breach.
While not amounting to a formal charge or determination, a Wells Notice is a letter the SEC generally issues to organizations or individuals when it is planning to take action against them.
“The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws,” SolarWinds said in its filing.
CFO J Barton Kalsu and CISO Tim Brown have both been with SolarWinds since before the breach which impacted at least nine federal agencies and approximately 100 organizations. In its filing the company warned of the possibility the two men may be forced to leave their roles.
“If the SEC were to authorize an action against any of these individuals, it could seek an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC’s authority.”
Last November SolarWinds said the company itself had received a Wells notice from the SEC alleging violations of securities law “with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures”.
SolarWinds has always maintained it acted appropriately following the December 2020 attack when Russian APT actors allegedly corrupted its Orion IT management software with Sunburst backdoor malware. Last week’s filing stated it intended “to continue to vigorously defend itself, including against any enforcement action or other charges”.
In an email to staff obtained by CNN, SolarWinds CEO Sudhakar Ramakrishna said the company would “continue to explore a potential resolution of this matter before the SEC makes any final decision”.
“Despite our extraordinary measures to cooperate with and inform the SEC, they continue to take positions we do not believe match the facts,” he said.
In October last year, SolarWinds settled a class action lawsuit for $26 million. The case, filed in SolarWind’s home state of Texas, was brought by shareholders who bought stock in the company around the time of the breach. They argued SolarWinds neglected its internal cybersecurity in the years preceding the breach and misled the public about the state of its digital security.
There was a different outcome in Delaware, however, where the state’s Supreme Court last month upheld a lower court’s decision to dismiss a similar case brought by SolarWinds investors.
In a statement emailed to media expanding on last week’s SEC filing, SolarWinds said the company had “acted properly at all times by following long-established best practices for both cyber controls and disclosure”.
“SUNBURST was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before,” the statement said.
“Any potential action [by the SEC] will make the entire industry less secure by having a chilling effect on cyber incident disclosure. The only possible way to prevent sophisticated and widespread nation-state attacks such as SUNBURST is through public-private partnerships with the government.”
