SolarWinds Execs Targeted by SEC, CEO Vows To Fight

CEO says SEC penalties related to the 2020 SolarWinds supply chain attacks are unwarranted and is ready to mount a defense to any legal actions against the company or its employees.

2 Min Read
Solarwinds technology logo on smartphone screen in hand

This article originally appeared on Dark Reading.

The Security and Exchange Commission (SEC) has issued a notice to SolarWinds executives that it intends to bring enforcement actions against them for their role in the 2020 SolarWinds cyber incident. But neither SolarWinds as an organization nor its current or former employees seem prepared to go down without a fight.

In response to a Wells Notice issued by the SEC, SolarWinds CEO Sudhakar Ramakrisha sent an internal email to employees vowing to fight any legal action taken by the regulator.

"Recently, SEC staff notified some of our former and current employees that they are considering bringing legal action against these employees along with the company," Ramakrishna told employees in the email provided to Dark Reading. "We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves."

While Ramakrishna goes on to cast the SEC's actions as a distraction to the organization's goals, a SolarWinds spokesperson tells Dark Reading that the SEC's actions against the company and its executives will ultimately hurt the wider cybersecurity community by discouraging disclosures to avoid facing penalties.

Related:How Third-party Risks Increase Data Breach Vulnerabilities

"We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers," the spokesperson added in an emailed statement. "Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure."

Although a Wells Notice like the one issued to SolarWinds executives this week isn't legally required, it's a common practice of the SEC to issue one ahead of enforcement, according to Cornell Law School, and it offers the opportunity for the target to submit a written statement to the regulator ahead of any decision being handed down.

Last November, the SEC issued a similar Wells Notice directed at SolarWinds, alleging the organization violated laws related to the breach disclosure as well as controls and procedures related to the infamous cyberattack

"SunBurst [SolarWind's preferred name for the incident] was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before," the company spokesperson added. "SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure."

Read more about:

Dark Reading

About the Author(s)

Becky Bracken

Editor, Dark Reading

Experienced journalist, writer, editor and media professional.

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like