The US Securities and Exchange Commission (SEC) is allegedly pursuing law enforcement action against SolarWinds due to an infamous data breach that impacted the company in 2019. According to the SEC, SolarWinds violated federal securities laws when disclosing the data breach and releasing statements. The breach, which was reported in 2020, could cost SolarWinds civil monetary penalties in addition to other consequences for the violations. The SEC action would also enjoin SolarWinds from future violations of the relevant laws.
The potential law enforcement action was recently disclosed in a Form 8-K filing with the SEC. SolarWinds states in the filing that it had received a notice from the SEC saying that the enforcement staff had decided to recommend law enforcement action against the company. The notice was in the form of a Wells Notice, which notifies a respondent about charges that may be brought by the regulator to the respondent in the future. A Wells Notice allows the respondent an opportunity to prepare a response to the charges. SolarWinds states that its disclosures and procedures were appropriate in the wake of the cyberattack, which was not discovered until late 2020 when security firm Mandiant discovered that its tools had been impacted by the attack.