IT software giant SolarWinds has agreed to pay $26 million to settle a securities class action lawsuit filed by shareholders over the cyberattack on the company’s Orion software platform and internal systems that was discovered in late 2020.
The technology giant disclosed the settlement in a regulatory filing on Nov. 3 and also warned it has received notice from the Securities and Exchange Commission that the regulator has made a preliminary decision to file an enforcement action against the company over the cyber breach.
“SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures,” SolarWinds disclosed in its 8-K filing.
During the breach, which was disclosed in late 2020, suspected Russia-backed hackers used routine software updates to add malicious code into the company’s Orion software product, which was used as a vehicle for a major cyberattack launched against private and public sector entities.
At least eight federal government agencies had systems compromised as a result of the attack.
As part of the settlement, the software maker did not acknowledge any wrongdoing and alleged they were misled about its security apparatus in advance of the attack. The sum will be paid by the company’s insurers who authorized and approved the sum, according to an 8-K filing with the US Securities and Exchange Commission.
“The settlement, if approved, would require the Company to pay $26 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement,” the company said in its 8K filing.
The SolarWinds attack took place over the course of almost nine months and affected roughly 18,000 entities in total.
The cyberattack occurred because SolarWinds, an IT company that runs network management systems for thousands of clients, was infiltrated through the company’s Orion software updates distributing malware to its customers’ computers.
In early 2021, SolarWinds stockholders sued the company after the stock tanked from news of the supply chain attack on SolarWinds’s software, which was first publicly reported in December 2020. In the second half of 2021 the company asked a US federal judge to throw out the lawsuit, claiming that it was “the victim of the most sophisticated cyberattack in history,” and described the legal arguments of certain shareholders as a way to “convert this sophisticated cyber-crime” into an unfair and unrelated securities fraud lawsuit.
As a result of the Wells notice, the SEC could force the company to stop engaging in future violation of federal securities laws subject to the action, impose civil monetary penalties and other equitable relief within the agency’s authority.
It remains unclear if or when the SEC will take enforcement action and what the potential consequences of this could be for SolarWinds.