SEC Sends Wells Notice to SolarWinds Executives
On June 23, 2023, SolarWinds revealed via an SEC Form 8-K filing that the U.S. Securities and Exchange Commission (SEC) notified the company that “certain current and former executive officers and employees of the company, including the company’s chief financial officer and chief information security officer,” had received Wells Notices.
What is a Wells Notice, Exactly?
According to Investopedia, a Wells Notice is a “notification issued by regulators to inform individuals or companies of completed investigations where infractions have been discovered. It usually takes the form of a letter, which notifies recipients both of the broad nature of the violations uncovered as well as the nature of the enforcement proceedings to be initiated against the recipient.”
Of course, since a Wells Submission and its contents are public information, it may not be in the defendants’ best interests to send one. “Anything alleged in the Wells Submission can be used against the defendant in the enforcement proceedings; it can also be subpoenaed and used against the respondents in any other civil litigation brought against the defendants,” according to Investopedia.
The 2022 Wells Notices, from October 28, 2022, and November 5, 2022, informed the company that the SEC made a “preliminary determination to recommend an enforcement action” against the company. These notices use the same verbiage as the “preliminary determination” from the SEC staff “alleging violations of certain provisions of U.S. federal securities law.” This June 2023 Wells Notice is directed at specific individuals; while they were not named, the filing referred to “certain current and former executive officers and employees of the Company, including the Company’s Chief Financial Officer and Chief Information Security Officer.” At the time of the 2020 breach, current CFO J. Barton Kalsu and current CISO Tim Brown were serving in those roles. Kalsu has served as CFO since April 2016, while Brown became CISO in 2017.
According to DarkReading, SolarWinds CEO Sudhakar Ramakrisha sent an internal email informing the rank and file that the company was prepared to defend itself against the charges being brought forward by the SEC.
“Recently, SEC staff notified some of our former and current employees that they are considering bringing legal action against these employees along with the company,” Ramakrishna told employees in the email provided to Dark Reading. “We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves.”
The CISO’s Role
There is no doubt the supply chain compromise of SolarWinds Orion (also referred to as the SUNBURST attack) has created industry-wide review and introspection of software supply chains by customers and providers. In addition, the Cybersecurity Infrastructure Security Agency (CISA) has been forthcoming with guidance and advice on protecting one’s supply chain as a means to reduce the likelihood of a similar compromise and, when it occurs, the importance of having an incident response plan at hand.
The recent Wells Notices serve to highlight the changing landscape of the chief information security officer’s (CISO’s) role within companies, especially publicly traded companies such as SolarWinds. Couple this with the recent conviction of Joe Sullivan, the former CISO of Uber, surrounding his actions post-breach and the discussion surrounding personal liability in the performance of one’s duties moves front and center.
It would appear that CISOs need to ensure thorough documentation of any decisions made and the context of those decisions (i.e., what information was known, when the decision was made). Furthermore, it behooves entities to have in place an incident response plan for when an incident occurs. This incident response plan should ensure a path to prompt disclosure which is transparent in nature, shares information which has been confirmed and is neither obtuse nor could be construed as obfuscation.
