SolarWinds may face legal action from the U.S. SEC for its cyber disclosures

The software company SolarWinds Corp announced on Thursday that the U.S. Securities and Exchange Commission had recommended enforcement action against it for its public comments on cybersecurity and protocols controlling such disclosures.

In a filing with the SEC, the Austin, Texas-based business also disclosed that it has provisionally agreed to pay $26 million to resolve shareholder litigation regarding the software company’s cybersecurity disclosures prior to a significant breach.

The SolarWinds logo is seen outside its headquarters in Austin, Texas, U.S., December 18, 2020.

In the settlement, which needs a judge’s permission, SolarWinds did not admit wrongdoing.

After hackers stole SolarWinds software updates and used them to access the data of thousands of businesses and government agencies using its products, the company found itself in the middle of a cybersecurity crisis in December 2020. The hack has been traced to Russia by American authorities.

SolarWinds said Thursday it had received a Wells notice from the SEC alleging the company violated U.S. securities law “with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.”

A Wells notice is sent to companies when the SEC intends to take enforcement action against them, even though it does not necessarily mean the recipients have broken any laws.

In response to the notice, SolarWinds stated that it “maintains that its disclosures, public statements, controls, and processes were appropriate.”

An inquiry for comment was not immediately answered by an SEC spokeswoman.

Investors sued SolarWinds in 2021, claiming that while the firm and two officials publicly praised cybersecurity measures, cost-cutting and profit maximization for SolarWinds’ two main investors took precedence.