“The Wells Notice states that the SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures,” SolarWinds stated in the press release.
“A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law,” SolarWinds continued. “The company maintains that its disclosures, public statements, controls and procedures were appropriate and will submit a response to the SEC staff’s position.”
In December 2020, it was revealed that SolarWinds had been the target of a data breach, in which hackers associated with Russia’s foreign intelligence service infiltrated the SolarWinds network and gained elevated credentials by implanting malicious code within a software update to SolarWinds Orion products, according to Microsoft’s analysis of the attack.
Once implanted, the software connected to a server controlled by the hackers, allowing them to launch further attacks against SolarWinds customers, which included hundreds of large companies and federal agencies.
In April 2021, a SolarWinds executive told NPR that the breach had compromised roughly 100 companies across numerous industries and a dozen government agencies. Compromised companies included Cisco, Intel, and Microsoft, while compromised federal agencies include the Department of Justice, Department of Treasury, the Pentagon, and more.
That same month, President Joe Biden declared in an executive order that the Russian Foreign Intelligence Service was responsible for the “broad-scope cyber espionage campaign” that exploited the SolarWinds Orion platform. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.