The cost to American companies from shareholder and regulator lawsuits for being hit by cyber attacks is being revealed.
SolarWinds said it has entered into a binding agreement to pay US$26 million to investors to settle a class action lawsuit stemming from the 2020 compromise of the update mechanism of its Orion network management platform.
Separately, credit reporting company Experian reached a US$13.6 million settlement with 40 U.S. states arising from two incidents: a 2012 hack where a person posed as a private investigator to access sensitive personal information, and a 2015 hack where an attacker was able to access data of 15 million T-Mobile cellular customers that the company was storing.
As a consequence of that data breach, T-Mobile will have to pay the states US$2.5 million.
The agreement also stipulates Experian has to create and maintain a comprehensive information security program to protect the personal data it holds, and have a CISO who reports at least monthly to the CEO, and at least quarterly to the board, on cyber risks the company faces. There is also a lengthy list of other obligations.
The proposed SolarWinds settlement, which must be approved by a U.S. court, will have provisions that the settlement does not constitute an admission, concession, or finding of any fault, liability, or wrongdoing by the company.
SolarWinds also said it has been notified that the U.S. Securities and Exchange Commission (SEC) has made a preliminary decision to recommend filing an action alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements from the incident, as well as relating to the company’s internal controls and disclosure controls and procedures.
SolarWinds said it maintains that its disclosures, public statements, controls and procedures were appropriate and will submit a response to the SEC staff’s position.
An estimated 18,000 organizations that used Orion installed an infected update after a Russian-based threat group evaded security controls and compromised the Orion update mechanism. Of those organizations, it is believed 100 were hacked.
In a commentary, John Pescatore of the SANS Institute wrote that the US$26 million settlement cost alone “is many times more than SolarWinds would have spent to prevent this incident. That $26M is likely less than 20 per cent of SolarWinds’ total costs for failing to protect its development systems and product code, but raises a key point: more of these lawsuits are starting to succeed, so we are seeing more settlements.”
His colleague at the institute, Lee Neely, wrote that the total expense of the attack to SolarWinds will be “staggering, when you include this settlement, regulatory fines, remediation costs and lost business. The message here – make sure that you’re leveraging guidance on securing your supply chain. Whether a developer, distributor or consumer, nobody gets a free ride. If you see weaknesses in your processes, use the lessons learned from SolarWinds to build a case to take action, including taking a pass on suppliers and developers who are not doing their part to ensure their software is genuine and securely maintained/delivered.”