The chief executive of US software firm SolarWinds told employees Friday that “we intend to vigorously defend ourselves” in the face of potential legal action from US regulators over the firm’s handling of a sweeping 2020 breach by alleged Russian hackers, according to an internal SolarWinds email obtained by CNN.
The US Securities and Exchange Commission has informed current and former SolarWinds executives that it intends to recommend “civil enforcement action” alleging the company broke federal securities laws in its public statements and “internal controls” related to the hack, SolarWinds said in a filing with regulators on Friday.
The hackers – who the Biden administration said worked for the Russian foreign intelligence service – allegedly used SolarWinds software to access the unclassified email networks of the departments of Justice, Homeland Security and other agencies in a cybersecurity and counterintelligence failure that US officials vowed to rectify.
The SEC notice is an indication that US regulators are moving closer to bringing a civil lawsuit against SolarWinds that could result in fines or other penalties. A so-called Wells notice from the enforcement agency is not a formal charge or determination that a defendant broke the law.
“Despite our extraordinary measures to cooperate with and inform the SEC, they continue to take positions we do not believe match the facts,” SolarWinds CEO Sudhakar Ramakrishna said in the email to employees.
SolarWinds “will continue to explore a potential resolution of this matter before the SEC makes any final decision,” Ramakrishna said, adding that the SEC investigation could be a “distraction” to employees in the coming months.
The SEC did not respond to CNN’s request for comment Friday night. The Biden administration has increasingly embraced regulation as a means of forcing big software providers and critical infrastructure firms to improve their cybersecurity practices.
“We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers,” a SolarWinds spokesperson said in a statement to CNN. “Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.”
Austin, Texas-based SolarWinds maintains that it acted appropriately in responding to the hack, which cybersecurity experts have called notable in its sophistication and scope. For several months in 2020, hackers used software made by SolarWinds and other technology firms to burrow into US government agencies and corporate victims in an apparent spying campaign.
Moscow has denied involvement.
After the hack became public, US lawmakers demanded answers from federal cybersecurity officials on why the hackers were undetected for so long, as well as criticized SolarWinds for its security practices prior to the hack.
But SolarWinds says it has instituted numerous security reforms in the years since the hack, and has pushed that message of reform in public appearance with federal officials.