The Security and Exchange Commission (SEC) has issued a notice to SolarWinds executives that it intends to bring enforcement actions against them for their role in the 2020 SolarWinds cyber incident. But neither SolarWinds as an organization nor its current or former employees seem prepared to go down without a fight.
In response to a Wells Notice issued by the SEC, SolarWinds CEO Sudhakar Ramakrisha sent an internal email to employees vowing to fight any legal action taken by the regulator.
"Recently, SEC staff notified some of our former and current employees that they are considering bringing legal action against these employees along with the company," Ramakrishna told employees in the email provided to Dark Reading. "We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves."
While Ramakrishna goes on to cast the SEC's actions as a distraction to the organization's goals, a SolarWinds spokesperson tells Dark Reading that the SEC's actions against the company and its executives will ultimately hurt the wider cybersecurity community by discouraging disclosures to avoid facing penalties.
"We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers," the spokesperson added in an emailed statement. "Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure."
Although a Wells Notice like the one issued to SolarWinds executives this week isn't legally required, it's a common practice of the SEC to issue one ahead of enforcement, according to Cornell Law School, and it offers the opportunity for the target to submit a written statement to the regulator ahead of any decision being handed down.
Last November, the SEC issued a similar Wells Notice directed at SolarWinds, alleging the organization violated laws related to the breach disclosure as well as controls and procedures related to the infamous cyberattack.
"SunBurst [SolarWind's preferred name for the incident] was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before," the company spokesperson added. "SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure."