The Securities and Exchange Commission has notified the chief financial officer and CISO of SolarWinds about potential enforcement actions related to the 2020 cyberattack against the company’s Orion software platform, the company disclosed in a regulatory filing with the agency.
SolarWinds CFO J. Barton Kalsu and CISO Tim Brown each received the formal notification from the SEC, known as a Wells Notice, alerting them of potential civil enforcement actions stemming from a previously announced investigation into the company’s response to the attack.
SolarWinds in November 2022 disclosed it had received a Wells Notice in connection with the cyberattack. The investigation related to potential violations of securities laws related to cybersecurity disclosures and public statements.
The SEC was also looking into the company’s internal controls as well as its disclosure controls and procedures.
The campaign, attributed to a Russia-backed threat actor dubbed Nobelium, involved a supply chain attack where malware was installed on the Orion platform and infected private sector companies and government agencies that used the software. SolarWinds was the most high profile victim among numerous other companies attacked during the same campaign.
SolarWinds CEO Sudhakar Ramakrishna defended the company’s actions in a letter to employees Friday.
“Despite our extraordinary measures to cooperate with and inform the SEC, they continue to take positions we do not believe match the facts,” he wrote in the letter. “We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision."
The letter states the company plans to defend itself if the SEC decides to launch any legal recourse.
Potential SEC measures against the executives include barring them from engaging in the same actions in the future, imposing civil penalties or barring them from serving as officers or directors of public companies, according to the filing.
“Sunburst was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before,” a company spokesperson told Cybersecurity Dive in an emailed statement. “SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure.”
The company said it is cooperating in a “long investigative process that seems to be progressing to charges by the SEC against our company and officers.”
Potential enforcement action would make the industry less secure “by having a chilling effect on cyber incident disclosure,” a spokesperson said.
A spokesperson for the SEC said the agency “does not comment on the existence or nonexistence of a possible investigation.”
The SEC has taken numerous steps to increase transparency and governance related to cybersecurity in recent years. In March the SEC reached a settlement with Blackbaud for $3 million in connection with disclosures related to a 2020 ransomware attack.
The agency earlier this month postponed a final rule on cyber incident disclosure requirements for publicly traded companies.