SolarWinds reaches $26m settlement with shareholders, expects SEC action

SolarWinds has agreed to pay $26 million to settle a shareholder lawsuit, and it's also expecting to be slapped with an enforcement action by Uncle Sam – both related to its infamous 2020 supply chain security fiasco, according to the software maker's most recent US regulatory filing.

At the end of October, SolarWinds reached a deal with investors who sued the company, alleging they were misled about its security posture in advance of the Russian cyberattack on the business, according to an 8-K filing [PDF] with the US Securities and Exchange Commission.

The settlement, which still must be approved by a judge, would require SolarWinds to pay out $26 million in claims, as well as shareholders' legal fees and the costs of administering the settlement. SolarWinds does not admit any wrongdoing.

Sometime in 2019, SolarWinds was pwned by Russian spies who used their illicit access into its network to compromise the vendor's build servers. Once that was done, the snoops sneaked a hidden backdoor into SolarWinds' IT monitoring software Orion, and pushed those updates through legit channels to SolarWinds' customers. After the malicious code was installed at end-user organizations, the spies had access to about 100 government agencies and private companies' networks. 

The security breach was discovered by Mandiant in December 2020.

In January 2021, stockholders sued the embattled SolarWinds. And seven months later, the biz asked a US federal judge to throw out the lawsuit, insisting with a straight face that it was "the victim of the most sophisticated cyberattack in history," and describing the legal maneuverings from some of its smaller shareholders as an attempt to "convert this sophisticated cyber-crime" into an unrelated securities fraud court case.

• SolarWinds urges US judge to toss out crap infosec sueball: We got pwned by actual Russia, give us a break
• SEC still digging into SolarWinds fallout, nudges undeclared victims
• US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack
• White House to tech world: Promise you'll write secure code – or Feds won't use it

In addition to reaching a settlement agreement on October 28, SolarWinds also said it also received a Wells notice — this is a letter from the SEC alerting the recipient that the financial watchdog may bring enforcement action against the company or an individual — on the same day.

The US regulator began investigating the Orion security snafu back in 2021.

"The Wells Notice states that the SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the company alleging violations of certain provisions of the US federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures," SolarWinds said in an 8-K filing.

Also in the filing, the software biz said it maintains that its "disclosures, public statements, controls and procedures" were above board, and it plans to submit a response to the SEC's notice.

SolarWinds did not respond to The Register's request for comment. 

An SEC spokesperson, meanwhile, said the agency "does not comment on the existence or nonexistence of a possible investigation." ®