N-able, the planned spinoff of SolarWinds MSP business, is a financial victim of the massive SolarWinds hack.

N-able has filed its registration statement with the Securities and Exchange Commission, in which it details the damage inflicted by the SolarWinds hack. SolarWinds should complete the spinoff later this spring.

The malicious hackers inserted malicious code, or Sunburst, into SolarWinds‘ Orion software updates sent to nearly 18,000 customers. SolarWinds released the updates between March and June of last year.

The espionage campaign has heavily impacted the federal government and the cybersecurity industry as a whole. Russian hackers reportedly carried out the malfeasance.

According to the Associated Press, the hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security. They also accessed the email accounts of members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries.

“Based on investigations to date, we have not identified Sunburst in any of our N-able solutions,” N-able said. “However, as a result of the cyber incident, we are faced with significant risks. As a part of SolarWinds and our prior branding as SolarWinds MSP, the cyber incident has harmed – and is likely to continue to harm – our reputation, our MSP partner and employee relations, and our operations and business as a result of both the impact it has had on our relationships with existing and prospective customers, and the significant time and resources that our personnel have had and may have to devote to investigating and responding to the cyber incident.”

Losing Customers

Customers have and may in the future defer buying or choose to cancel or not renew their agreements or subscriptions with N-able, it said.

N-Able, the SolarWinds MSP spinoff, expects to take a big hit financially from the massive hack.

N-able expects to incur “significant” costs and expenses related to the hack from investigations and related initiatives. Moreover, N-able will incur costs associated with addressing the damage to its reputation, and MSP partner and employee relations.

“If we are unable to maintain the trust of our current and prospective MSP partners and their SME customers, negative publicity continues and/or our personnel continue to have to devote significant time to the cyber incident, our business, market share, results of operations and financial condition will be negatively affected,” it said.

The threat actor had access to and may have exfiltrated source code and other confidential information across SolarWinds’ environment, which includes N-able.

Expect More Costs, Liabilities

The discovery of new or different information regarding the hack could further increase costs and liabilities, N-able said. And insurance may not cover these costs.

“Any such claims, investigations or lawsuits may result in the incurrence of significant external and internal legal and advisory costs and expenses and reputational damage to our business, as well as the diversion of management’s attention from the operation of our business and a negative impact on our employee morale,” it said. “We also may not have sufficient coverage for any claims or expenses to the extent that we are covered under SolarWinds’ insurance coverage and may share certain expenses related to the cyber incident with SolarWinds in future periods.”

Moreover, N-able said the hack may “embolden” other threat actors to target its systems. Also, it can’t ensure additional safeguards can successfully protect against cyberattacks. That could bring additional harm to the business.

N-able partners with more than 25,000 MSPs. It estimates the global market opportunity for its solutions to reach about $44 billion by 2025.