Updated on 2022-11-07: SolarWinds settlement
SolarWinds said it reached a settlement with its shareholders in a class-action lawsuit filed in 2021 in which the company was accused of misleading its investors about the 2020 hack and subsequent supply chain attack. According to documents filed with the SEC, the settlement is worth $26 million but still needs to be approved by the case judge. Read more: 2020 United States federal government data breach
Overview: SolarWinds Settles Shareholder Lawsuit for $26M
SolarWinds will pay $26 million to settle a lawsuit brought by its shareholders following its 2020 supply chain attack. SolarWinds says it expects to face enforcement action from the US Securities and Exchange Commission (DSEC) as well.
Note
- Just this settlement cost alone is many time more than SolarWinds would have spent to prevent this incident. That $26M is likely less than 20% of SolarWinds total costs for failing to protect its development systems and product code, but raises a key point: more of these lawsuits are starting to succeed so we are seeing more settlements.
- Expect the total expense to SolarWinds to be staggering, when you include this settlement, regulatory fines, remediation costs and lost business. The message here – make sure that you’re leveraging guidance on securing your supply chain: whether a developer, distributer or consumer, nobody gets a free ride. If you see weaknesses in your processes, use the lessons learned from SolarWinds to build a case to take action, including taking a pass on suppliers and developers who are not doing their part to ensure their software is genuine and securely maintained/delivered.
- An interesting defense strategy to claim they were the victim of “the most sophisticated cyberattack in history.” There are parallels to a defense strategy employed by a cyber insurance company in denying a claim by using the war exclusion clause. As reported neither strategy was successful. Adherence to basic cybersecurity practices, in this case a robust software configuration management process would have limited cost to the company in both cleanup, recovery, and damage to the brand.
- Not only is $26M far more than preventing the problem would have cost, it is a tiny fraction of the cost to SolarWind’s customers and to our economy as a whole. That said, this may be a step toward holding suppliers accountable for distributing malicious code.
Read more in