Making It Personal: SEC Issues Wells Notices Against SolarWinds’ CFO and CISO

The cyber breach of SolarWinds’ software in 2020 (the “SolarWinds breach” or “cyber breach”) has been described as the “largest and most sophisticated attack the world has ever seen.” As a result of the cyber breach, SolarWinds has been the subject of multiple lawsuits and investigations, including a class action lawsuit that resulted in the company agreeing to pay a settlement of $26 million.

Most recently, in connection with the breach, SolarWinds’ chief financial officer (CFO) and chief information security officer (CISO) received Wells notices from the Securities Exchange Commission (SEC). These Wells notices (or warnings of potential SEC enforcement actions) shouldn’t necessarily come as a surprise but are worthy of a closer look, as there are insights to be gained.

This article will:

• Provide a brief background on the SolarWinds breach
• Explain what a Wells notice is
• Discuss the Wells notices that SolarWinds’ CFO and CISO received
• Provide important takeaways

The SolarWinds Cyber Breach

As we discussed in a prior article, the SolarWinds event in 2020 was a catastrophe. The cyberattack involved the compromise of SolarWinds’ network management and monitoring suite of products called Orion. Orion was used by more than 30,000 public and private organizations to manage their networks, systems, and IT infrastructure. Cyberterrorists, likely with ties to the Russian government, successfully hacked into Orion and injected malicious code that was then included in software updates SolarWinds released to its clients. That code made it possible for intruders to gain remote access to impacted customer operating systems.

This timeline from the US Government Accountability Office details the activities leading up to the breach, including remediation measures taken by the US federal government, SolarWinds, and others in the private sector. Missing from the timeline are details that are likely at the center of the Wells notices that SolarWinds’ CFO and CISO received. I’ll provide some background on Wells notices before diving into those details.

What’s a Wells Notice?

A Wells notice is typically a letter or telephone call from the staff of the SEC’s Division of Enforcement (the “Division”) to a company and/or person that is the subject of an SEC investigation.

A Wells notice communicates each of the following to recipients:

1. Informs them that the staff has made a preliminary determination to recommend that the SEC file an action or institute a proceeding against them;
2. Identifies the securities law violations that the staff has preliminarily determined to include in the recommendation; and
3. Provides notice that the recipient of the notice may make a submission to the Division and the SEC concerning the proposed recommendation.

While there isn’t a formal rule governing the Wells notice process, there was a release issued by the SEC in 1972 that describes the general procedures associated with Wells notices, as well as explaining that the purpose is to “afford persons under investigation by the [SEC] an opportunity to present their positions to the [SEC] prior to the authorization of an enforcement proceeding.”

The staff exercises discretion when issuing these notices. In practice, the staff generally refrains from issuing a Wells notice when there is a risk that evidence would be destroyed or there is ongoing fraud. For more on the SEC’s investigation process and Wells notices, see this Latham & Watkins article.

SolarWinds’ Wells Notices

SolarWinds and its employees have been the subject of a few Wells notices stemming from the SolarWinds breach. The first was sent by SEC staff to SolarWinds on October 28, 2022. SolarWinds disclosed that the notice stated that the staff “made a preliminary determination to recommend that the SEC file an enforcement action against [SolarWinds] alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.”

SolarWinds disclosed the second set of Wells notices on June 23, 2023. The company stated that these Wells notices were sent to “certain current and former executive officers and employees of [SolarWinds], including [SolarWinds’] Chief Financial Officer and Chief Information Security Officer.” As more information emerges, it will be interesting to learn who other than the CFO and CISO received Wells notices. For its part, SolarWinds has been clear in stating that “its disclosures, public statements, controls and procedures were appropriate, and it intends to continue to vigorously defend itself, including against any enforcement action or other charges.”

Initial reaction by many was that the Wells notices that SolarWinds’ CFO and CISO received were “a really big deal,” “unprecedented,” and “unusual.” Were these Wells notices newsworthy? Sure, but considering some of the details that surfaced in connection with the securities class action lawsuit that SolarWinds settled and the SEC’s continued focus on cybersecurity issues, they are not all that surprising.

Insights from SolarWinds’ Securities Class Action Lawsuit

SolarWinds’ disclosures do not go into much detail regarding the Wells notices received by its CFO, CISO, and other employees. However, by looking at details that emerged from the securities class action lawsuit that SolarWinds settled for $26 million, we gain some insight into what the SEC may be zeroing in on in terms of potential violations of US federal securities laws.

Some of the notable details to have emerged from the securities class action lawsuit that SolarWinds settled include:

• Indications that SolarWinds’ cybersecurity efforts were not as they seemed. The record referenced a presentation given to SolarWinds’ top executives by its former global cybersecurity strategist. The presentation predated the SolarWinds breach and addressed SolarWinds’ deficient cybersecurity practices. SolarWinds allegedly refused to implement the suggested cybersecurity improvements included in the presentation, which led to the former global cybersecurity strategist resigning.Additionally, 10 former SolarWinds employees stated that the company did not employ the cybersecurity measures it purported to employ. The employees stated the company did not have a security team, a security information policy, a password policy, security training, or even network segmentation to appropriately limit user access to parts of the SolarWinds network related to their job functions.
• “solarwinds123.” In 2019, a cybersecurity researcher notified SolarWinds by email that the password for the SolarWinds’ server from which customers downloaded software updates for the SolarWinds’ products had been publicly available for around one-and-a-half years. An intern had set that password as “solarwinds123.” SolarWinds changed the password within an hour of SolarWinds receiving the email, but the company didn’t disclose the password leak, nor its significance.
• The court found that plaintiffs sufficiently pleaded that SolarWinds’ CISO “acted with, at least, severe recklessness when he touted the security measures implemented at SolarWinds.” Plaintiffs pleaded that the CISO held himself out as a responsible and knowledgeable authority regarding SolarWinds’ cybersecurity measures. There were references to the CISO appearing in interviews endorsing SolarWinds’ cybersecurity efforts, his face being on the SolarWinds Security Statement page on the company’s website, and statements he made on a company podcast where he stated that the company was “focused on . . . heavy-duty hygiene.” Additional statements attributed to the CISO through the Security Statement included that SolarWinds “distributes security alerts,” requires employees to have “account, data, and physical security,” and implements “password best practices.” Those statements continued to be presented on the company website even after SolarWinds learned of the “solarwinds123” password issue, and the CISO continued to direct investors and customers to the Security Statement.
• “Security Team.” The Security Statement also made reference to SolarWinds “security team” that “focuses on information security, global security auditing and compliance, as well as defining the security controls . . . ” In maintaining that there was a “security team,” the plaintiffs referenced SolarWinds pointing to the global security strategist and the CISO. As noted earlier, the global security strategist resigned before the SolarWinds breach, and the CISO joined at some point after that resignation. The court said that two workers with different titles employed at two different times by SolarWinds doesn’t necessarily mean there was a “team.” The court stated: “The strength of Defendants’ assertions is about on par with the strength of Plaintiffs’ plausible allegations that former employees stated no such team existed.”

Why Did the SEC Send Wells Notices to the CFO and CISO?

First, the SEC’s focus on cybersecurity risks, events, and related disclosures is nothing new. Given the escalating cybersecurity risk to companies and not satisfied with the application by public companies of prior guidance, the SEC proposed and recently adopted rules on cybersecurity disclosure.

A month before the new cybersecurity disclosure rules, SEC Division of Enforcement Director Gurbir S. Grewal shared the five principles that guide the work across the Division to ensure companies are taking cybersecurity and disclosure obligations seriously. I encourage you to read these five principles with the SolarWinds details in mind:

1. Companies need to ensure that investors receive timely and accurate required disclosures related to cyberattacks.
2. Companies need to have real policies that work in the real world, and then they need to implement them.
3. Companies need to regularly review and update all relevant cybersecurity policies. Additionally, companies would be well-served by reviewing the SEC’s enforcement actions and public orders on these topics.
4. The right information must be reported up the chain to those making disclosure decisions. If they don’t get the right information, it doesn’t matter how robust your disclosure policies are.
5. The SEC has zero tolerance for gamesmanship around the disclosure decision. Grewal is referring to companies being more concerned about reputational damage than about coming clean with shareholders and customers whose data is at risk.

While the CISO receiving a Wells notice is now likely more understandable after reading this far, you may be asking why the CFO received a Wells notice.

The CFO’s role in SolarWinds’ cybersecurity program is unclear. However, SolarWinds’ internal controls may be the primary reason that the staff sent the CFO a Wells notice. In 2018, the SEC issued a report on an investigation relating to nine public companies that lost nearly $100 million as a result of cyber threats. In that report, the SEC cautioned public companies to consider cyber threats when implementing internal accounting controls. To the extent that SolarWinds’ internal accounting controls and disclosure controls and procedures did not appropriately address cyber threats (in the SEC’s view), it isn’t difficult to imagine why SolarWinds’ CFO, an individual who must certify the effectiveness of those internal controls, received a Wells notice.

Takeaways: 5 Ways to Reduce Risk

The SolarWinds facts seem to be egregious. Nevertheless, there are lessons to be learned from the SEC’s decision to send Wells notices to the SolarWinds CFO and CISO. To help reduce risk and enhance current cybersecurity-related processes, the following are some considerations for companies, board of directors, general counsels, and chief information security officers.

1. Assess your company’s cybersecurity risk management, strategy, and governance with the new SEC cybersecurity disclosure rules in mind. The SEC’s recent adoption of its new cybersecurity disclosure rules serves as a reason and opportunity to assess your company’s risk management, strategy, and governance processes. This is especially important because the plaintiffs’ bar, regulators, investors, and other stakeholders will undoubtedly focus on your company’s expanded cybersecurity-related risk management and governance disclosures. Read our blog for more information on the SEC’s new cybersecurity disclosure rules and ways to help reduce your liability.
2. Ensure your company’s cybersecurity policies are regularly reviewed and updated, and that employees are being trained on those policies. The solarwinds123 password issue discussed above is amusing to some degree, but it reinforces the need for companies to maintain cybersecurity-related policies and train their employees on those policies. It would be best for your company to be able to point to these safeguards if they must respond to inquiries into whether a cybersecurity breach could have been avoided.
3. Confirm that public statements regarding your company’s cybersecurity program and/or protections are accurate and consistent. Maintaining accurate and consistent disclosure is paramount for public companies, especially in the case of critical functions like cybersecurity. In terms of accuracy, your company shouldn’t overstate the robustness of its cybersecurity program and/or the experience of its CISO. Also, if your cybersecurity team is composed of one or two people, you may want to rethink calling it a cybersecurity team. With respect to consistent disclosure, as companies begin to draft disclosures to comply with the SEC’s new cybersecurity disclosure rules, it’s a good idea to align those disclosures with other external disclosures like those included in investor decks, information sheets, or on the company’s website.
4. Assess whether your company’s internal reporting processes will get the right information in a timely manner to those making disclosure decisions. To comply with the SEC’s new cybersecurity disclosure rules, most public companies need to bolster their internal processes to be able to timely conduct a materiality determination after a cyber incident. While developing these enhanced processes, contemplate updating cyber incident response plans to outline what information is important in making that materiality determination, as well as impressing upon all employees that it’s imperative they report any potential cybersecurity breaches. The reason is best summed in the following statement from Enforcement Director Grewal: “If [companies] don’t get the right information, it doesn’t matter how robust your disclosure policies are.”
5. Diligence your insurance. Even if your particular facts are more favorable than SolarWinds’, it doesn’t mean you or the company are free from becoming the subject of similar investigations or lawsuits after a cybersecurity breach. For this reason, it's a good idea to understand how you and your company may be covered, or not, under your company’s insurance policies. Remember that multiple insurance policies can and should respond in the case of a cybersecurity breach—including cyber insurance and directors and officers (D&O) insurance policies. How coverage applies will depend on many factors. Make sure you are working with a broker that can comfortably and expertly navigate those waters.

Parting Thoughts

The sky isn’t falling. The Wells notices that SolarWinds’ CFO and CISO received are notable, but not surprising. That said, SolarWinds’ Wells notices and the new cyber disclosure rules should serve as reminders that the SEC continues to focus on cyber threats and related disclosures. With the takeaways discussed above in mind, you and your company should be better positioned to reduce risk and enhance your current cybersecurity-related processes.