According to an internal email obtained by CNN, the CEO of SolarWinds informed employees on Friday that the company plans to vigorously defend itself against potential legal action from US regulators over its handling of the 2020 breach by alleged Russian hackers.
CNN reported: "The US Securities and Exchange Commission has informed current and former SolarWinds executives that it intends to recommend “civil enforcement action” alleging the company broke federal securities laws in its public statements and “internal controls” related to the hack, SolarWinds said in a filing with regulators on Friday."
According to the Biden administration, hackers affiliated with the Russian foreign intelligence service reportedly utilized SolarWinds software to gain access to the email networks of several government departments, including Homeland Security and Justice. This security breach is seen as a failure of cybersecurity and counterintelligence, and US officials have made a commitment to correct the issue.
The recent SEC notice suggests that SolarWinds may face a civil lawsuit from US regulators, which could lead to penalties or fines. However, receiving a Wells notice does not automatically mean that SolarWinds violated any laws. In an email to employees, CEO Sudhakar Ramakrishna expressed disappointment at the SEC's position, stating that SolarWinds had been forthcoming with information and had cooperated with the investigation.
Wow, first you get hacked by the Russians, then you get sued by the US Government...
6/29/2023 [MORE] Author Kim Zetter observed on LinkedIn: "Last week the SEC sent Wells notices to SolarWinds employees warning them that they may face legal action over the company's 2020 hack. But it's slipped the attention of many that one of the people who got a notice was the company's CISO - a very rare and significant move that indicates more CISO's could face similar action in the future.
A Wells notice indicates the SEC has found evidence the recipient of the notice violated federal securities laws and the SEC may bring civil enforcement action against them. If the SEC does bring action, it could result in a monetary fine and a prohibition against the person from ever being an officer or director of a public company in the future. “It’s not common for any Wells notice to be sent to a company in relation to cybersecurity,” a former DoJ prosecutor told me for my story, who said they're typically only sent to CEOs or CFOs over securities or other financial fraud.
This may be the first time a CISO got a Wells notice. He says this is because a CISO’s activities in the past typically didn’t materially impact a company’s value or stock price. But in the era of mega breaches and cyberattacks that affect critical infrastructure, the SEC has recognized that this is changing. He says CISOs and companies should expect more of these in the future. Here's my story about it:
(Original Story at CNN)
