The SolarWinds cyber-attack was devastating in scope and impact. If any lesson can be learned from this event, the SolarWinds case presents all the pitfalls, enforcement and reputational damage, rolled into one tragic series of events.
In a recent 10-K disclosure, SolarWinds announced that it is the subject of ongoing investigations conducted by the Department of Justice, the Securities and Exchange Commission, and various state attorneys general focused on the cyberattack on its software. Also, SolarWinds is facing additional enforcement actions from international data protection agencies, most especially relating to the E.U.’s General Data Protection Regulation. In addition to these government investigations, SolarWinds is facing a pile of class action lawsuits.
Given the high-profile nature of the cyber-attack, DOJ and state enforcement actions are likely to seek relatively large settlements. The E.U. will follow suit to underscore the importance of proactive security strategies.
SolarWinds’ 10-K filing reflects the devastating impact a cyber-attack can have on a business. The 10-K is replete with admonitions, warnings and risk factors reflecting the devastating toll the cyber-attack has already had on SolarWinds’ business. In a candid acknowledgement, SolarWinds repeatedly highlights that the risk that the attack will have on its future business opportunities given the significant costs and reputational damages from the attack.
SolarWinds is a provider of information technology software used to manage an organization’s internal telecommunications systems. The cyberattack, which SolarWinds disclosed in December 2020, was likely carried out by Russian actors and sprawled across the government and various corporate clients.
SolarWinds is conducting its own internal investigation which uncovered that malware delivered malicious code into Orion’s software released in mid-2020. The malicious code was not injected into other software platforms maintained by SolarWinds. By the end of 2020, SolarWinds has incurred over $3 million in expenses. These costs are likely to increase substantially as SolarWinds completes its investigation, remedies deficiencies in its cyber protection solutions. Further, CyberWinds will incur legal and consulting expenses as it navigates the government enforcement and private litigation costs.
The Russian hackers infiltrated the Department of Homeland Security, the Department of Commerce, Treasury Department, Justice Department, and the Energy Department’s Nuclear Security Administration. In January 2021, the Administrative Office of the U.S. Courts disclosed that the cyberattack damaged PACER, the federal court management system.
It is estimated that at least 20,000 customers were impacted by the cyberattack. The SolarWinds attack was part of a broader Russian infiltration against U.S. Companies and the U.S government.
Another key reminder to protect against cyberattacks is the need for cyber insurance. SolarWinds disclosed that it has an insurance policy totaling $15 million. That is likely to be insufficient to cover the anticipated expenses and damages flowing from the government investigations and remediation.
As an initial step, SolarWinds released software revisions to address the attack. The revisions include a proprietary code to create a ready-solution to the malicious code injected into the software. SolarWinds is developing better security measures to prevent such an attack from recurring.
The SolarWinds incident has now re-energized Congressional interest in enacting a breach notification requirement for cyberattacks. Congress has proposed such a requirement for years but the SolarWinds attack may reinvigorate the support for this measure. The private sector has opposed such requirements as unnecessary and creating significant liability concerns from such notifications. Congressional leaders have emphasized the benefits of cyberattack notifications and sharing of information among key government actors.