SolarWinds, the Texas-based company whose software was breached in a major Russian cyberattack, said in a filing Monday it is cooperating with an inquiry from the Securities and Exchange Commission.
Relatively unknown just a few months ago, SolarWinds has been in the hot seat since hackers exploited vulnerabilities in its software to breach at least nine government agencies and about 100 companies. Last week, members of Congress questioned SolarWinds chief executive Sudhakar Ramakrishna about whether private companies like his can be trusted to protect the country from future attacks.
The SEC probe, which had not been disclosed previously, comes after the largest investors in SolarWinds sold $315 million in shares of the company days before the hack was revealed. The investor group avoided losses of more than $100 million, while the buyer, Canada’s largest pension fund, saw the value of its new shares decline more than 40 percent in the days after cyberattack became public.
A former SEC enforcement official told The Washington Post in December that, based on publicly known information, the stock sales would probably be investigated by the securities regulator. The former official, Jacob S. Frenkel, said the SEC would try to determine whether the investors withheld information about the possibility of a hack before unloading their stakes in SolarWinds. He said such a probe could take as long as a year.
A spokesman for SolarWinds declined to comment beyond the filing, which did not specify what the SEC was looking into. The SEC did not respond to a request for comment.
The stock sale was led by private equity firms Silver Lake and Thoma Bravo, which together own 70 percent of SolarWinds and control six of the company’s board seats. Their ownership gives them access to key information and makes their stock trades subject to federal rules around financial disclosures.
SolarWinds, Silver Lake and Thoma Bravo have all said they first learned of the security breach after the agreement was reached. Spokesmen for Silver Lake and Thoma Bravo declined to comment on the SEC inquiry.
Michel Leduc, a senior managing director at the Canada Pension Plan Investment Board (CPPIB), previously said he thought “no one was aware of the hack leading to our capital commitment” but said his firm was assessing the circumstances of the deal “for optimal certainty.”
A spokesman for the CPPIB did not respond to a request for comment.
Federal agencies affected by the recent Russian hacking include the departments of State, Justice, Treasury, Energy, Commerce and Homeland Security, as well as the National Institutes of Health, NASA and the Federal Aviation Administration, The Post has reported. In all cases, officials have said, the data stolen was unclassified and no operational systems were breached.