Company Settles Shareholder Lawsuit for $26M
SolarWinds, maker of network management software famously hacked by the Russian government, now faces a potential investigation by U.S. Securities and Exchange Commission over its disclosure of the incident.
Hackers from the Russian Foreign Intelligence Service in early 2020 injected the software updater for the company’s flagship Orion application with a Trojan. The company estimates the infection reached fewer than 100 customers – among them at least nine federal agencies.
The Austin, Texas-based company divulged the possible SEC probe in a shareholder filing. Federal regulators have made a preliminary determination an investigation should proceed into whether the company violated securities law by failing to adequately disclose cybersecurity risks and incidents. They sent the company what’s known as a “Wells Notice,” a notification that stops short of a formal charge and allows the company to contest the preliminary staff determination, which SolarWinds says it will do.
Should the investigation proceed, the regulators may force the company to pay a civil penalty and promise to improve its disclosure controls. The SEC since 2011 has interpreted securities law as obligating companies to report risks and incidents, guidance it strengthened in 2018. Critics say the disclosures are typically cookie-cutter statements that that reveal little about actual challenges in cyberspace. Earlier this year the SEC proposed a second revision to require current reporting about material cybersecurity incidents.
The potential investigation comes as SolarWinds says it’s agreed to settle a putative shareholder class action lawsuit in federal district court in Texas for $26 million. A consolidated complaint accused the company of misleading investors about the strength of its cybersecurity, charging it with sacrificing cybersecurity in favor of short-term profits for its two primary private equity investors, Silver Lake Partners and Thoma Bravo.
The company’s share price plummeted after the hack became public and has yet to recover to pre-incident levels. The suit named the company, the two private equity firms and company CEO Kevin Thompson and Vice President of Security Tim Brown as defendants.
A federal judge in March dismissed the complaint against Thompson but ruled the other defendants would continue to face litigation. The parties filed on Thursday a notice notifying the court they reached an agreement.
The company, its private equity investors and the SEC all did not immediately respond to a request for comment.