SEC puts SolarWinds CFO on notice in cyberattack probe

By Maura Webber Sadovi

• The Securities and Exchange Commission has contacted the Austin, Texas-based SolarWinds’ CFO J. Barton Kalsu and Chief Information Security Officer, Tim Brown, in connection with a previously disclosed investigation into a cyberattack against the company, stating that the regulator has “made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws,” according to a Friday SEC filing. 

• The SEC’s recent Wells notices, which only identified the senior executives by their titles, follow an earlier notification received by the company in November related to the SEC’s investigation into a cyberattack on the company’s Orion software platform and internal systems. The 2020 attack — attributed to a Russia-backed threat actor dubbed Nobelium — infected private sector companies and government agencies that used the software, sister publication Cybersecurity Dive reported. 

• SolarWinds CEO Sudhakar Ramakrishna asserted that the company and its employees acted “appropriately” both before and in response to the attack, dubbed Sunburst, noting the company is working to resolve the matter but will “vigorously defend” itself should the SEC initiate legal action, according to a copy of a Friday email sent to SolarWinds employees and shared with CFO Dive.

SolarWinds characterized the so-called Sunburst cyberattack as “a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before,” in an emailed statement sent by a SolarWinds spokesperson to CFO Dive.

The news underscores the growing potential legal exposure that CFOs have as they are increasingly expected to take on broader remits of responsibilities — including navigating new tech solutions — that are well beyond their more traditional finance and accounting duties. 

Jack McCullough, founder and president of the CFO Leadership Council, said he has not come across another situation where a CFO received a Wells notice related to a cyber incident.

But given that the concept of breach of duty is broad, McCullough said that it could be argued that a CFO might be perceived to be breaching their responsibilities should a cyberattack succeed. “Such a notion is undeniably unsettling,” McCullough wrote in an emailed response to questions from CFO Dive. “While the potential implications may be chilling, it is crucial for CFOs to navigate these challenges, continuously reassessing their strategies and remaining proactive in mitigating risks.”

Separately, Ramakrishna in his email Friday also warned that “any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure,” noting that public-private partnerships with the government are the “only” way to prevent such sophisticated nation-state attacks, the company’s spokesperson wrote.

An SEC spokesperson declined to comment.