SolarWinds, the enterprise technology company made famous after suffering a nation state directed cyber attack in 2020, has been served notice by the SEC that further action is coming.

Not only did they receive their own Wells Notice in October, but now two individuals, their CFO and CISO, have as well.

This is the first time in history CISO has received a Wells Notice.

The fact of a CISO getting a Wells Notice has sent a chill down the spine of many in the security community. It is also being discussed in corporate boards and among governance professionals who are still awaiting the SEC’s final regulations on cybersecurity.

So, What should corporate directors know and do about this?

To shed some light on the practical implications for business leaders we asked for insights from two of our OODA network experts, Bob Flores and Junaid Islam. Bob is an experienced CTO and CISO who has sat on corporate boards and advised many corporations on how to mitigate risk. He is a certified QTE, or Qualified Technical Executive, skilled in delivering business value to corporate boards seeking to mitigate systemic risk. Junaid Islam has created and led corporations and is known for his ability to help leaders make the most of technology while mitigating risks. He is also an inventor and creator of software protocols that make many parts of our long haul telecommunications systems function. Both know security and technology leadership.

Background On The 2020 SolarWinds Incident 

SolarWinds delivers enterprise technology for managing IT. One of their many products, a tool called Orion, is used to manage networks and bring visibility to enterprise technologists in companies and governments around the world. 

The famous cyber attack occurred in 2020. It was discovered by a security firm that uses the software. As the investigation proceeded it was determined on short order that the build process for the software had been compromised. An entity, later determined to be a Russian intelligence service,  had gotten into the systems that SolarWinds used to manage and produce their software.  This essentially meant that any end customer of this Solar Winds software could be owned by the Russian intelligence services. 

The incident response was massive and costly to multiple free world governments and businesses.  SolarWinds itself leaned into the response and from an outsider’s perspective seemed to be doing everything in their power to make this right. I empathized with them. What company can withstand an attack by a high end nation state? 

There is of course room to criticize victims of cyber attacks, and soon some major criticisms turned into shareholder lawsuits and notice of investigations by the SEC. 

Legal Action Associated With the 2020 SolarWinds Incident

The SolarWinds board was criticized. The members of the board were for the most part people who were from the security industry so would be expected to pay attention to the potential of cyber attack. Directors were also criticized in lawsuits for not organizing and leading in a way that would enable appropriate governance over cybersecurity. 

The key lawsuit was dismissed in September 2022, and that dismissal was just upheld on appeal. Basically the suit was dismissed because the kind of apathy demonstrated by the board was not found to be illegal and the directors were not shown to have clear bad faith. 

But this type of lawsuit is not the only issue facing companies in this position. 

The SEC has been investigating and from what we can see has now issued two Wells notices. One in October putting the company itself on notice, and one last week sent to two individuals, the CFO and CISO of Solarwinds. 

We don’t know exactly what was in the Wells Notice, but we do know the SEC had previously told SolarWinds they had found problems with their cybersecurity disclosures and internal controls and procedures. 

The OODA Network Discussion of The Wells Notice

OODA network members Bob Gourley, Junaid Islam and Bob Flores examine many aspects of this new development including:

• What message a Wells Notice to a CISO sends to the security leadership community
• What might this do to the relationship between CISOs and corporate boards? 
• What corporate boards can do to reduce the chance that they will be subject to this sort of action
• What can companies do in the face of cyber attack from a nation state like Russia or China?
• The SEC is promulgating new regulations in October for boards and companies.
• Should private companies pay attention to these actions?
• Should boards form cybersecurity committees? 
• What can the government do to better protect US companies?
• Is espionage the same as attack?
• Is this something that compliance teams will address?

For more on Resources including OODA’s capabilities in this space see:

• What Corporate Directors Need To Know About Coming SEC Cybersecurity Rules
• OODA Advisory Services and Corporate Cyber Risk