In 2020, software company SolarWinds was hit with a cyberattack that compromised its Orion supply chain software. The attack impacted thousands of victims. Three years later, the US Securities and Exchange Commission (SEC) is continuing its investigation into the attack. The oversight agency has indicated it may pursue civil enforcement action against current and former employees, including CFO J. Barton Kalsu and CISO Tim Brown.
What kind of liability could these individuals face, and what does the SEC’s investigation mean for other cybersecurity stakeholders?
The SEC Investigation
Hackers injected Sunburst malicious code into SolarWind’s Orion Platform software. The National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation attributed the attack to the Russian Foreign Intelligence Service.
The threat actors behind the attack gained access in September 2019 and remained undetected until December 2020, according to the company’s investigation update on its Orange Matter blog.
The SEC sent SolarWinds a Wells Notice in October 2022, indicating its intention to pursue enforcement action against the company, according to an SEC filing. In a June SEC filing, the company noted that current and former employees, including its CFO and CISO, have received Wells Notices. These notices could mean SEC staff are recommending to “file a civil enforcement action against the recipients alleging violations of certain provisions of the US federal securities laws.”
SolarWinds asserts that it “has acted properly at all times by following long-established best practices for both cyber controls and disclosure,” according to an emailed statement. “We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers. Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.”
Sudhakar Ramakrishna became president and CEO of SolarWinds in December 2020, the same month the cyberattack came to light. In a letter sent to the company’s employees, Ramakrishna acknowledged the SEC’s investigation and stressed that the company “always acted appropriately — before and in response to the attack.”
“We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves,” he writes in the letter.
In the wake of the Sunburst attack, SolarWinds has adopted a secure by design approach. On June 28, the company hosted a virtual event: Secure by Design. Ramakrishna; Chip Daniels, vice president of government affairs at SolarWinds; Eric Goldstein, executive assistant director for cybersecurity for CISA; Rep. Raja Krishnamoorthi (D-IL); and Rep. Darrell Issa (CA-48) talked about that approach, state-sponsored cyber threats, and the need for public-private partnerships.
“We need a model where government, where industry, and where our international partners are seamlessly and frictionlessly working together day in and day out to combat the threats that we are seeing today and getting ahead of the ones we are seeing tomorrow,” Goldstein said during the panel discussion.
While SolarWinds is looking ahead, it still faces the outcome of the SEC investigation. “The most significant consequence could be a crippling enforcement action, with a monetary fine that affects the economics of SolarWinds significantly and with its current and former executives facing individual liability,” says Braden Perry, a former federal enforcement attorney and current regulatory and government investigations attorney with business and litigation law firm Kennyhertz Perry.
The SEC’s focus on the company’s CFO and CISO comes shortly after the conclusion of the trial of Joseph Sullivan, the former CSO of Uber. Sullivan was charged with covering up a 2016 data breach at the ride share company. Prosecutors recommended Sullivan receive 15 months in prison.
Michael Bahar, litigation attorney and co-lead of the global cybersecurity and data privacy practice at global law firm Eversheds Sutherland, noted that the judge in Sullivan’s case sent a clear message to other security leaders. “The judge imposed a sentence of three years’ probation, 200 hours of community service, and a $50,000 fine, while cautioning that chief security officers should not expect similar leniency in the future,” he explains.
What could the Wells Notices mean for the SolarWinds executives? The SEC “can ask a court for injunctive relief, civil monetary penalties, disgorgement, restitution, and certain bars on individuals, including barring that person as an officer or director of a public company,” according to Perry.
Perry notes that it isn’t unusual for the SEC to investigate individuals following a significant breach. “Generally, individual liability in SEC cases is usually limited to the CEO and perhaps CFO, depending on the circumstances,” he says. “If the SEC determines that the CISO played a role in the breach or failed to fulfill their responsibilities adequately … this would be a powerful message to IT personnel that potential liability may be tied to their action or inaction.”
The SEC’s investigation of SolarWinds executives is likely a part of a bigger trend. “The Wells Notice to certain senior officials is part of a strong regulatory trend to impress upon companies the need for senior officers and boards to take an active hand in cybersecurity,” says Bahar.
The SEC has proposed rules that would address cybersecurity risk management, strategy, governance, and incident reporting for public companies. Under this proposal, public companies would need to disclose the role management plays in implementing cybersecurity strategy and board of directors’ cybersecurity expertise, among other requirements.
“Companies should consider ensuring that cybersecurity starts at the top and permeates throughout all levels of the company; and when troubles strike, erring on the side of transparency,” says Bahar.