SolarWinds ‘Confident’ It ‘Acted Appropriately’ After 2020 Hack: CEO
Sudhakar Ramakrishna told employees that SolarWinds will seek to prevent legal action from U.S. regulators, which he said is not warranted given the company’s ‘transparent’ response to the widely felt cyberattack.
SolarWinds executives are contending that possible legal action by U.S. regulators is misguided, given the company’s “responsible disclosure” and “transparent communication” after the widely felt 2020 cyberattack against the company and its customers, SolarWinds CEO Sudhakar Ramakrishna said in an email to employees.
“We are confident the company always acted appropriately—before and in response to the attack,” Ramakrishna said in the email Friday, a copy of which was provided to CRN by SolarWinds.
[Related: SolarWinds Execs Receive SEC Wells Notice Related To ‘Sunburst’ Cyberattack]
CNN first reported on the existence of the email, which was sent after the U.S. Securities and Exchange Commission issued a Wells notice to some current and former SolarWinds executives and employees.
The Wells notice indicates that an SEC investigation is concluded and that agency personnel are recommending a “civil enforcement action” against notice recipients, “alleging violations of certain provisions of the U.S. federal securities laws,” SolarWinds said in a filing with the SEC Friday.
In the 2020 attack, hackers linked to Russia’s government infiltrated SolarWinds’ software supply chain and infected the company’s Orion network monitoring software with a malicious impact. The tainted software was then downloaded by thousands of customers, including U.S. government agencies and major corporations, leading to numerous additional data breaches.
In the email to SolarWinds staff Friday, Ramakrishna said that it is “widely accepted there was nothing any company could have done to prevent a cyberattack of this scale, sophistication, and novelty.”
“Moreover, we responded transparently to the attack and effectively supported our customers and other stakeholders,” he wrote.
The SEC’s actions, however, “could cause a distraction in the coming months,” Ramakrishna said.
The company has taken “extraordinary measures” to cooperate with SEC investigators, but “they continue to take positions we do not believe match the facts,” as reflected in the distribution of Wells notices Friday, he wrote.
“We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision,” Ramakrishna wrote. “And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves.”
SolarWinds specified in its SEC filing that its CFO and CISO are among the individuals who have received the Wells notices. Tim Brown has served as CISO of SolarWinds since 2017, and Bart Kalsu has been the company’s CFO since 2016.
In a statement Friday, SolarWinds said that “we are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers.”
“Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure,” the company said in the statement.