SolarWinds is facing monetary and enforcement consequences as a result of its supply chain attack in 2020.

SolarWinds was the victim of a supply chain attack in which attackers compromised one of SolarWinds IT tools that was used by companies and government agencies around the world. As a result, at least 18,000 of SolarWinds customers downloaded the compromised software, with many being directly hacked.

It appears the company is now facing the consequences, both with shareholders and the SEC. In a filing with the SEC, the company says it has agreed to pay shareholders $26 million.

SolarWinds entered into a binding settlement term sheet with respect to the previously disclosed consolidated putative class action lawsuit….The settlement, if approved, would require the Company to pay $26 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement.

In addition, the company also revealed that it had been notified of an SEC Wells notice, which could lead to enforcement action.

Also on October 28, 2022, the enforcement staff of the U.S. Securities and Exchange Commission (the “SEC”) provided the Company with a “Wells Notice” relating to its investigation into the previously disclosed cyberattack on the Company’s Orion Software Platform and internal systems. The Wells Notice states that the SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.

It is not surprising the SEC is taking such action. The SolarWinds attack was one of the most devastating cyberattacks in history and had a profound impact on companies and agencies. The US Judiciary even went so far as to return to paper records in the wake of the attack.