Two pension funds sued the SolarWinds Corp. board in Delaware, blaming oversight failures that “defied elementary cybersecurity standards” for a massive cyberattack by Russian hackers that compromised the systems of major U.S. companies and “critical” government agencies.
The derivative lawsuit, made public Friday in Delaware Chancery Court, accuses the SolarWinds board of turning a blind eye before the hack to widespread warnings about “the specific and heightened risk” of “supply chain” attacks on cybersecurity companies themselves.
Although the directors “must have known” about the “catastrophic and surging risks” of supply chain cyberattacks, they “utterly” failed to monitor cybersecurity risks that are “mission critical” to a company like SolarWinds, the suit says. “These oversight failures had grave consequences.”
“We do not comment on pending litigation, but this action is similar to a purported derivative lawsuit filed earlier this year. More importantly, we continue to focus on deepening our relationships with customers and openly discussing our Secure by Design initiatives as we look to set the standard for secure software development,” a SolarWinds spokesperson said in an email to Bloomberg Law Friday.
According to the partly redacted complaint, SolarWinds employees voiced concerns about its cybersecurity policies for several years before the hack, which is “believed” to have been “directed” by Russia’s foreign intelligence service.
The company’s failures during that period—including the use of “solarwinds123" as a network password, a decision top executives have blamed on an intern—eventually drove one of its leading cybersecurity experts to resign, the suit says.
It also targets cost-cutting practices allegedly put in place by the company’s private equity backers, Thoma Bravo LP and Silver Lake, which aren’t named as defendants. They’re “well known” for slashing overhead and outsourcing important business processes, according to the complaint.
“The offshoring of its software development to foreign-owned firms in Belarus, Poland, Romania, and the Czech Republic,” former Soviet-bloc countries, presents “a heightened risk from Russian operatives,” the suit says.
It was originally filed under seal Nov. 1 by the Construction Industry Laborers Pension Fund, the Central Laborers’ Pension Fund, and two individual SolarWinds investors.
Cause of Action: Breach of fiduciary duty.
Relief: Damages, governance reforms, costs, fees, and interest.
Attorneys: The plaintiffs are represented by Saxena White PA, Grant & Eisenhofer PA, Robbins Geller Rudman & Dowd LLP, Friedman Oster & Tejtel PLLC, Kaskela Law LLC, and Cohen Milstein Sellers & Toll PLLC.
The case is Constr. Indus. Lab. Pension Fund v. Bingle, Del. Ch., No. 2021-0940, complaint unsealed 11/5/21.