SolarWinds Corporation, which suffered a major breach of its Orion software platform in December 2020, submitted a U.S. Securities and Exchange Commission (SEC) filing on June 23rd, saying the enforcement staff of the SEC provided the company with a Wells Notice related to its investigation into the cyber incident.
A Wells Notice is a letter the SEC generally issues to organizations or individuals when it is planning to take action against them.
From the filing:
"Subsequently, certain current and former executive officers and employees of the Company, including the Company's Chief Financial Officer and Chief Information Security Officer, received 'Wells Notices' from the SEC staff, each in connection with the Investigation. The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws."
In a LinkedIn post today, June 26th, Jamil Farshchi, EVP and CISO at Equifax, had this to say about the news:
"This is a really big deal. It's unprecedented: this is likely the first time a CISO has ever received one of these. And the implications are immense: Wells Notices are no joke. They create massive career hardships—especially if one plans to work for a publicly traded company."
Jordan Fischer, attorney and partner at Constangy and frequent instructor and speaker for SecureWorld, offered this perspective:
"The recent Wells Notice sent to the CISO and the CFO at SolarWinds continues a trend we are seeing in the cyber space more generally: holding executives or high-ranking individuals within businesses accountable for cybersecurity and technology breaches. While these Wells Notices are official investigations, they are a sign of a potential intent to investigate the CISO and CFO. It will be interesting to watch how the SEC navigates this next stage and its broader impact on the approach by executives in managing cyber risk."
[RELATED: Suing the CISO: SolarWinds Fires Back]
Shawn Tuma, Co-Chair, Data Privacy & Cybersecurity Practice, at Spencer Fane, LLP and frequent SecureWorld instructor and speaker, offered this perspective:
"The law evolves in incremental steps and, in my opinion, what this shows is a very early in developing—yet consistent—trend toward trying to name and hold individuals responsible for cybersecurity failures in companies, and it seems the CISO will be at the top of the list. While the facts of both the SolarWinds case and the recent prosecution and conviction of the Uber CSO make them exceptional and somewhat outlier cases for many reasons, we are seeing a pattern develop with federal enforcement that goes back to at least 2015 with the Department of Justice's 'Yates Memo' which encouraged the naming of individuals by explaining that 'One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.'"
CFO J. Barton Kalsu and CISO Tim Brown have both been with Austin, Texas-based SolarWinds since before the breach that impacted at least nine federal agencies and approximately 100 organizations. In its filing, the company warned of the possibility the two men may be forced to leave their roles.
CNN obtained and internal email in which SolarWinds CEO Sudhakar Ramakrishna defends the company and the actions it took after hackers allegedly used SolarWinds software to access unclassified email networks of the Departments of Justice and Homeland Security and other agencies.
"Despite our extraordinary measures to cooperate with and inform the SEC, they continue to take positions we do not believe match the facts," Ramakrishna said in the email to employees. SolarWinds "will continue to explore a potential resolution of this matter before the SEC makes any final decision," Ramakrishna said, adding that the SEC investigation could be a "distraction" to employees in the coming months.
[RELATED: 11 Security Changes SolarWinds Is Making Now]
Farshchi continued in his LinkedIn post, noting that Wells Notices are typically targeted at CEO- and CFO-types for violations such as Ponzi schemes, accounting fraud, or market manipulation.
"So it seems odd for a CISO to get one of these," he wrote. "But there is one violation that might fit… and it's one that's been gaining a lot of momentum lately: Failure to disclose material information. Things like failing to disclose the gravity of an incident… or failing to do so in a timely manner, could conceivably fall into this category."
According to a SolarWinds spokesperson quoted in the CNN article: "We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers. Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure."