SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, DC 20549
PURSUANT TO SECTION 13 OR 15(d) OF
THE SECURITIES EXCHANGE ACT OF 1934
December 14, 2020
Date of Report (Date of earliest event reported)
(Exact name of registrant as specified in its charter)
| || || |
|(State or other jurisdiction|
7171 Southwest Parkway
Austin, Texas 78735
(Address of principal executive offices) (Zip Code)
Registrant's telephone number, including area code: (512) 682-9300
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2. below):
|☐||Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)|
|☐||Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)|
|☐||Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))|
|☐||Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))|
Securities registered pursuant to Section 12(b) of the Act:
|Title of Each Class||Trading Symbol||Name of Each Exchange on Which Registered|
|Common Stock, $0.001 par value||SWI||New York Stock Exchange|
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company ☐
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
SolarWinds Corporation (“SolarWinds” or the “Company”) has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. SolarWinds has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state, but SolarWinds has not independently verified the identity of the attacker. SolarWinds has retained third-party cybersecurity experts to assist in an investigation of these matters, including whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems, and in the development of appropriate mitigation and remediation plans. SolarWinds is cooperating with the Federal Bureau of Investigation, the U.S. intelligence community, and other government agencies in investigations related to this incident.
Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the “Relevant Period”), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products. SolarWinds has taken steps to remediate the compromise of the Orion software build system and is investigating what additional steps, if any, should be taken. SolarWinds is not currently aware that this vulnerability exists in any of its other products.
SolarWinds currently believes that:
•Orion products downloaded, implemented or updated during the Relevant Period contained the vulnerability;
•Orion products downloaded and implemented before the Relevant Period and not updated during the Relevant Period did not contain the vulnerability;
•Orion products downloaded and implemented after the Relevant Period did not contain the vulnerability; and
•Previously affected versions of the Orion products that were updated with a build released after the Relevant Period no longer contained the vulnerability; however, the server on which the affected Orion products ran may have been compromised during the period in which the vulnerability existed.
SolarWinds values the privacy and security of its over 300,000 customers and is working closely with customers of its Orion products to address this incident. On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000. The communication to these customers contained mitigation steps, including making available a hotfix update to address this vulnerability in part and additional measures that customers could take to help secure their environments. SolarWinds is also preparing a second hotfix update to further address the vulnerability, which SolarWinds currently expects to release on or prior to December 15, 2020. For the nine months ended September 30, 2020, total revenue from the Orion products across all customers, including those who may have had an installation of the Orion products that contained this vulnerability, was approximately $343 million, or approximately 45% of total revenue.
There has been significant media coverage of attacks on U.S. governmental agencies and other companies, with many of those reports attributing those attacks to a vulnerability in the Orion products. SolarWinds is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited in any of the reported attacks.
SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the Company’s emails and may have provided access to other data contained in the Company’s office productivity tools. SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether this compromise is associated with the attack on its Orion software build system. SolarWinds also is investigating in collaboration with Microsoft as to whether any customer, personnel or other data was exfiltrated as a result of this compromise but has uncovered no evidence at this time of any such exfiltration.
SolarWinds’ investigations into these matters are preliminary and on-going, and SolarWinds is still discerning the implications of these security incidents. During the course of these investigations, SolarWinds may become aware of new or different information. At this time, SolarWinds is unable to predict any potential financial, legal or reputational consequences to the Company resulting from this incident, including costs related thereto. So as not to compromise the integrity of any investigations, SolarWinds is unable to share additional information at this time.
This Current Report on Form 8-K contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding SolarWinds’ understanding of the vulnerability that was inserted within its Orion monitoring products and the attack vector that was used to compromise SolarWinds’ emails and may have provided access to other data contained in the Company's office productivity tools, the potential sources of these security incidents, the number of SolarWinds customers that may have had an installation of SolarWinds’ Orion products that contained the vulnerability and the revenue related thereto, SolarWinds’ response to the security incidents, the status and results of its investigations to date and the potential impact of these incidents on its business operations and financial results and condition. These forward-looking statements are based on management's beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, (a) the discovery of new or different information regarding the vulnerability within SolarWinds’ Orion monitoring products and/or the compromise of SolarWinds emails and other office productivity tools or of additional vulnerabilities within, or attacks on, SolarWinds’ products, services and systems, (b) the discovery of new or different information regarding the exploitation of the vulnerability in the SolarWinds’ Orion monitoring products and/or the compromise of SolarWinds emails and other office productivity tools, (c) the possibility that SolarWinds’ mitigation and remediation efforts with respect to its Orion monitoring products and/or internal systems may not be successful, (d) the possibility that customer, personnel or other data was exfiltrated as a result of the compromise to SolarWinds’ emails and other office productivity tools, (e) numerous financial, legal, reputational and other risks to SolarWinds related to the security incidents, including risks that the incidents may result in the loss, compromise or corruption of data, loss of business, severe reputational damage adversely affecting customer or vendor relationships and investor confidence, U.S. or foreign regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, (f) risks that SolarWinds’ errors and omissions insurance coverage covering certain security and privacy damages and claim expenses may not be available or sufficient to compensate for all liabilities SolarWinds incurs related to the incidents and (g) such other risks and uncertainties described more fully in documents filed with or furnished to the U.S. Securities and Exchange Commission by SolarWinds, including the risk factors discussed in SolarWinds’ Annual Report on Form 10-K for the period ended December 31, 2019 filed on February 24, 2020, its Quarterly Report on Form 10-Q for the quarter ended March 31, 2020 filed on May 8, 2020, its Quarterly Report on Form 10-Q for the quarter ended June 30, 2020 filed on August 10, 2020 and its Quarterly Report on Form 10-Q for the quarter ended September 30, 2020 filed on November 5, 2020. All information provided in this Current Report on Form 8-K is as of the date hereof and SolarWinds undertakes no duty to update this information except as required by law.
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
|Dated:||December 14, 2020||By:||/s/ Kevin B. Thompson|
|Kevin B. Thompson|
|President and Chief Executive Officer|