(Reuters) – The U.S. Securities and Exchange Commission has recommended an enforcement action against SolarWinds Corp over its public statements on cybersecurity and procedures governing such disclosures, the software firm said on Thursday.
The Austin, Texas-based company also said in a filing with the SEC that it has tentatively agreed to pay $26 million to settle a shareholder lawsuit about the software company’s cybersecurity disclosures ahead of a massive breach.
SolarWinds did not admit wrongdoing in the settlement, which requires approval by a judge.
The company was at the center of a cybersecurity crisis in December 2020, after hackers compromised SolarWinds software updates and used them to access the data of thousands of companies and government offices that used its products. The U.S. government has attributed the hack to Russia.
SolarWinds said Thursday it had received a Wells notice from the SEC alleging the company violated U.S. securities law “with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.”
While a Wells notice does not necessarily mean the recipients have violated any law, the SEC issues the letter to firms when it is planning to bring an enforcement action against them.
SolarWinds said it will respond to the notice, and “maintains that its disclosures, public statements, controls and procedures were appropriate.”
A spokesperson for the SEC did not immediately reply to a request for comment.
Investors sued SolarWinds in 2021, alleging the company and two executives touted cybersecurity measures publicly while prioritizing cost cutting and profit for SolarWinds’ two largest investors.
The case is Bremer v. SolarWinds Corp et al., No. 21-cv-00002, U.S. District Court, Western District of Texas.
(Reporting by Jody Godoy in New York; editing by Richard Pullin)