The SolarWinds Cyber-Attack – The Devastation and Wreckage

The Volkov Law Group
Contact

The Volkov Law Group

The SolarWinds cyber-attack was devastating in scope and impact. If any lesson can be learned from this event, the SolarWinds case presents all the pitfalls, enforcement and reputational damage, rolled into one tragic series of events.

In a recent 10-K disclosure, SolarWinds announced that it is the subject of ongoing investigations conducted by the Department of Justice, the Securities and Exchange Commission, and various state attorneys general focused on the cyberattack on its software.  Also, SolarWinds is facing additional enforcement actions from international data protection agencies, most especially relating to the E.U.’s General Data Protection Regulation. In addition to these government investigations, SolarWinds is facing a pile of class action lawsuits. 

Given the high-profile nature of the cyber-attack, DOJ and state enforcement actions are likely to seek relatively large settlements.  The E.U. will follow suit to underscore the importance of proactive security strategies.

SolarWinds’ 10-K filing reflects the devastating impact a cyber-attack can have on a business. The 10-K is replete with admonitions, warnings and risk factors reflecting the devastating toll the cyber-attack has already had on SolarWinds’ business.  In a candid acknowledgement, SolarWinds repeatedly highlights that the risk that the attack will have on its future business opportunities given the significant costs and reputational damages from the attack.

SolarWinds is a provider of information technology software used to manage an organization’s internal telecommunications systems.  The cyberattack, which SolarWinds disclosed in December 2020, was likely carried out by Russian actors and sprawled across the government and various corporate clients.

SolarWinds is conducting its own internal investigation which uncovered that malware delivered malicious code into Orion’s software released in mid-2020.  The malicious code was not injected into other software platforms maintained by SolarWinds. By the end of 2020, SolarWinds has incurred over $3 million in expenses.  These costs are likely to increase substantially as SolarWinds completes its investigation, remedies deficiencies in its cyber protection solutions.  Further, CyberWinds will incur legal and consulting expenses as it navigates the government enforcement and private litigation costs.

 The Russian hackers infiltrated the Department of Homeland Security, the Department of Commerce, Treasury Department, Justice Department, and the Energy Department’s Nuclear Security Administration.  In January 2021, the Administrative Office of the U.S. Courts disclosed that the cyberattack damaged PACER, the federal court management system.

It is estimated that at least 20,000 customers were impacted by the cyberattack.  The SolarWinds attack was part of a broader Russian infiltration against U.S. Companies and the U.S government.

Another key reminder to protect against cyberattacks is the need for cyber insurance.  SolarWinds disclosed that it has an insurance policy totaling $15 million.  That is likely to be insufficient to cover the anticipated expenses and damages flowing from the government investigations and remediation.

As an initial step, SolarWinds released software revisions to address the attack.  The revisions include a proprietary code to create a ready-solution to the malicious code injected into the software.  SolarWinds is developing better security measures to prevent such an attack from recurring.

The SolarWinds incident has now re-energized Congressional interest in enacting a breach notification requirement for cyberattacks.  Congress has proposed such a requirement for years but the SolarWinds attack may reinvigorate the support for this measure.  The private sector has opposed such requirements as unnecessary and creating significant liability concerns from such notifications.  Congressional leaders have emphasized the benefits of cyberattack notifications and sharing of information among key government actors.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© The Volkov Law Group | Attorney Advertising

Written by:

The Volkov Law Group
Contact
more
less

The Volkov Law Group on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.