SolarWinds, the federal contractor breached by suspected Russian hackers, acknowledged investigations and inquiries from the Securities and Exchange Commission, the Department of Justice and several state attorneys general, in a filing on Monday.
The Texas-based company disclosed the investigations, which include inquiries related to the European Union’s General Data Protection Regulation, in its annual report to investors Monday. The company noted it expects to face significant costs from the various investigations. Executives previously suggested that SolarWinds would pay $20 to $25 million in security-related expenditures to resolve the incident.
SolarWinds did not describe the exact reasons for the investigations in the filing. The disclosure is the latest indication, though, that SolarWinds will be dealing with the fallout of a suspected Russian espionage campaign, which undermined one of the company’s software updates with malicious code to breach nine U.S. government agencies, for months.
“Numerous domestic and foreign governmental authorities are investigating events related to the Cyber Incident, including how it occurred, the consequences thereof and our response thereto,” the company said. “We are cooperating and providing information in connection with these investigations and inquiries and are incurring, and in future periods expect to incur, costs and other expenses in connection with these investigations and inquiries.”
SolarWinds also disclosed that it had paid $3.5 million to address the breach through December 31, 2020. The figure includes costs to investigate and remediate the incident, legal and professional costs and consulting services the firm has provided to customers, the firm said.
The disclosure of the various investigations comes after top investors in the firm sold off millions of dollars’ worth of shares before the breach was revealed publicly, which allowed them to avoid losses other investors incurred after the disclosure, when the company’s stock price plummeted, according to The Washington Post. Silver Lake and Thoma Bravo, the private equity firms that bowed out early, have said they found out about the incident after the fact.
In addition to the SEC, DOJ, state attorneys general and GDPR inquiries, the Texas-based company is also facing off with a class-action lawsuit shareholders filed against the company and some executives in January.
The class-action suit accuses the executives and the company of lying to shareholders about its security posture.
The investigations and the scale of costs the company faces, in addition to the blow its reputation faces moving forward, could raise questions about whether and how a company that’s been wrapped into a nation-state’s espionage operation as collateral damage can recover. SolarWinds notes the fallout from the breach may “have a negative impact on employee morale” and result in the “diversion of management’s attention from the operation of our business,” which could spell future trouble for shareholders and for the company’s day-to-day operations.
SolarWinds also acknowledges in its filing that the investigations and accusations are already causing “significant costs and expenses,” which the company notes “may not be covered by insurance,” and which may not be the only costs it will incur as a result of the breach.
Many insurance plans have begun offering coverage for cybersecurity incidents in theory in recent years, but when it comes time to address incidents in practice, victims of cyberattacks have often found that insurers don’t actually dole out the assistance and meet claims when it’s needed most.
Lawmakers have been questioning SolarWinds’ chief executive Sudhakar Ramakrishna in recent days about how it became the vector for the attack, raising questions about whether victims of cyberattacks are to be blamed in cases involving sophisticated cyber actors such as the suspected Russians behind this breach.
Ramakrishna has told U.S. leaders the firm is working with other entities in the private sector as well as the Department of Defense and the National Institute of Standards and Technology to discuss lessons learned. Ramakrishna has suggested it could work to overhaul how SolarWinds builds software in the future to thwart potential hackers interested in launching supply-chain based cyber-operations through its software.