SolarWinds execs hit with SEC Wells notice related to 'Sunburst' cyberattack
Current and former executives including its CFO and CISO received Wells notices that they may be subject to civil enforcement action in relation to the late 2020 SolarWinds Orion cyberattack
SolarWinds has revealed that some of its past and former executives were issued a Wells notice by the US Securities and Exchange Commission related to potential violations stemming from the SolarWinds Orion cyberattack, also known as the Sunburst attack.
A Wells notice is a letter the SEC sends to companies or people after a SEC investigation is concluded that the recipients will be subject to an enforcement action.
Receipt of a Wells notice typically means that the SEC, after finishing an investigation, has discovered evidence of possible violations of securities laws.
In Friday's SEC filing, SolarWinds wrote it had previously disclosed two shareholder derivative actions that were filed, purportedly on behalf of the company, asserting break of duty and other claims against SolarWinds and some of its current and former officer and directors relating to the SEC's investigation of the Orion cyberattack. The company in October, 2022 received a Wells notice.
However, the current filing was made to notify investors that "certain current and former executive officers and employees of the company, including the company's chief financial officer and chief information security officer," received Wells notices from the SEC staff, each in connection with the Investigation.
"The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the US federal securities laws," SolarWinds wrote.
SolarWinds did not name any of the executives who received the Wells notices.
However, current CFO J Barton Kalsu and current CISO Tim Brown were serving in those roles at the time of the attack.
Kalsu has served as CFO since April, 2016, while Brown, who earlier this year was named CISO of the Year by the Globee Cybersecurity Awards, became CISO in 2017.
The executives referenced by the SEC have not yet been formally charged, SolarWinds said in the SEC filing.
"A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law. If the SEC were to authorise an action against any of these individuals, it could seek an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC's authority," the company wrote.
SolarWinds executives were not available to respond to a CRN request for more information.
SolarWinds "acted properly at all times"
However, SolarWinds, in an emailed statement to CRN not attributed to a specific person, said the company has acted properly at all times following the unprecedented Sunburst attack and is cooperating with the SEC.
"SUNBURST was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before.
"SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure. We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers.
"Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.
"The only possible way to prevent sophisticated and widespread nation-state attacks such as SUNBURST is through public-private partnerships with the government," SolarWinds wrote.
The December, 2020 manual supply chain attack against SolarWinds' Orion network monitoring platform sent shockwaves throughout the world, with suspected Russian foreign intelligence service hackers gaining access to US government agencies, critical infrastructure entities, and private sector organisations.
The victims included government, consulting, technology and telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote.
FireEye's CEO at the time said that only 50 of the 18,000 organisations who installed malicious SolarWinds Orion code into their network were "genuinely impacted" by the campaign, while Microsoft President Brad Smith said December 17 that just over 40 of the company's customers were precisely targeted and compromised through trojanized Orion updates.