SolarWinds CEO: Company Intends to Fight SEC Action Over 2020 Nation-State Cyberattack

SolarWinds CEO Sudhakar Ramakrishna said his company plans to fight any enforcement action by the U.S. Securities and Exchange Commission (SEC) in connection with the massive breach disclosed in late 2020.

According to an SEC filing by SolarWinds, the enforcement staff of the SEC provided the company with a Wells Notice relating to the agency’s investigation of the cyberattack. In addition, former executive officers and employees of the company, including CFO J Barton Kalsu and CISO Tim Brown, received Wells Notices.

“The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws,” SolarWinds said in the filing.

A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law, it said.

SolarWinds CEO Sudhakar Ramakrishna

“If the SEC were to authorize an action against any of these individuals, it could seek an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC’s authority,” SolarWinds said.

SolarWinds CEO Says Company Plans to ‘Vigorously’ Defend Itself

The results of the SEC investigation and any potential enforcement actions are unknown at this time, SolarWinds said.

“The company maintains that its disclosures, public statements, controls and procedures were appropriate, and it intends to continue to vigorously defend itself, including against any enforcement action or other charges,” it said.

SolarWinds began notifying its customers of the breach in mid-December 2020. Early on, the company reported up to 18,000 customers could have been vulnerable to the malicious code used by the attackers. Later, it said fewer than 100 SolarWinds customers were hacked.

SolarWinds sent us the following statement:

“Sunburst was a highly sophisticated and unforeseeable attack that the U.S. government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before. SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure. We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers. Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure. The only possible way to prevent sophisticated and widespread nation-state attacks such as Sunburst is through public-private partnerships with the government.”

SolarWinds CEO’s Email to Employees

In an email to SolarWinds employees, Ramakrishna said despite “our extraordinary measures to cooperate with and inform the SEC, they continue to take positions we do not believe match the facts.”

“Recently, SEC staff notified some of our former and current employees that they are considering bringing legal action against these employees along with the company,” he said. “We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves.”

The U.S. government and the security community have said the cyberattack was carried out against SolarWinds and other technology companies by a determined nation-state actor – identified as Russia by the White House – using novel techniques and spy craft the “world’s best cybersecurity experts had never seen before,” Ramakrishna said said.

“It is widely accepted there was nothing any company could have done to prevent a cyberattack of this scale, sophistication and novelty,” he said.