The Security and Exchange Commission (SEC) has notified SolarWinds executives that it plans to initiate enforcement actions against them for their involvement in the 2020 SolarWinds cyber incident. However, both SolarWinds as a company and its current and former employees are determined to put up a strong defense.
Following the issuance of a Wells Notice by the SEC, SolarWinds CEO Sudhakar Ramakrishna sent an internal email to employees, expressing his commitment to fighting any legal action taken by the regulatory body. Ramakrishna stated, “Recently, SEC staff notified some of our former and current employees that they are considering bringing legal action against these employees along with the company. We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves.”
While Ramakrishna portrays the SEC’s actions as a distraction from the organization’s goals, a SolarWinds spokesperson argues that the SEC’s actions against the company and its executives will have negative repercussions for the broader cybersecurity community. The spokesperson emphasizes that such actions could discourage disclosures of cyber incidents out of fear of facing penalties, ultimately compromising the security of the industry as a whole. In an emailed statement, the spokesperson stated, “We are cooperating in a lengthy investigative process that seems to be progressing toward charges by the SEC against our company and officers. Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.”
While not legally required, the issuance of a Wells Notice, similar to the one issued to SolarWinds executives, is a common practice by the SEC before initiating enforcement actions. Cornell Law School states that it offers the target an opportunity to submit a written statement to the regulator prior to any final decision being made.
This is not the first time the SEC has taken action against SolarWinds. In November of last year, the SEC issued a Wells Notice accusing SolarWinds of violating laws pertaining to breach disclosure and controls and procedures related to the significant cyberattack the company faced. SolarWinds, however, denies any wrongdoing and argues that they followed established best practices for both cyber controls and disclosure throughout the incident. The company spokesperson defended SolarWinds by stating, “SunBurst [referring to the incident] was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before. SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure.”
As the SEC’s enforcement actions loom over SolarWinds and its executives, it remains to be seen how the situation will unfold. With the company and its employees determined to vehemently defend their actions, a lengthy legal battle may be on the horizon. The outcome of this case will undoubtedly have significant implications not only for SolarWinds but also for the broader cybersecurity landscape and the approach to cyber incident disclosures.