What do you think of when you think of SolarWinds and Cozy Bears? If you thought renewable energy and teddy bears, you are wrong. SolarWinds develops software for businesses to help manage their networks, systems, and IT infrastructure. And in 2020, it was discovered that they were hacked in 2019 by Cozy Bear, a/k/a Russian Foreign Intelligence Service. It was also discovered what a failure in ESG integration can do to a company. Withum detailed this breach back in early 2021.
SolarWinds reported that hackers infected 18,000 customers, including the United States Treasury, Homeland Security, NATO and many non-U.S. governmental organizations. After the hack became public, SolarWinds’ share price immediately fell by 21%, and three years later is still down over 50%. It is also reported that the hackers will cost insurance carriers $90 million in claims.
In October 2023, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and its chief information security officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. SolarWinds defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. The SEC also alleges that, for years, SolarWinds ignored repeated red flags about its cyber risks, which were well-known throughout the company.
How Could ESG Integration and Diligence Have Saved Solar Winds Millions?
|SASB Sustainability Disclosure Topics
|Environmental Footprint of Hardware Infrastructure
|Data Privacy & Freedom of Expression
|Recruiting & Managing a Global, Diverse &Skilled Workforce
|Intellectual Property Protection & Competitive Behavior
|Managing Systemic Risks from Technology Disruption
ESG integration is a common form of ESG where ESG factors are used to identify sources of material financial risk.
SolarWinds negative ESG factors included:
- Failure to protect clients,
- Ineffective internal controls; and
- Management’s misrepresentations to shareholders.
Investors use the Sustainable Accounting Standards Board (SASB) framework to detect these risk factors during pre-investing due diligence and post-investment monitoring.
Significant customers, lenders and insurers should also consider applying the same SASB standards used by investors in their own pre-engagement due diligence to achieve ESG integration. SASB identified six sustainability disclosure topics financially material to the software and information technology services industry, one of which is data security. ESG data security due diligence includes having a cyber expert evaluate a company’s approach to identifying and addressing data security risks, including using third-party cybersecurity standards. Robust diligence procedures typically include reviewing internal documents, obtaining evidence substantiating cyber procedures and discussing cyber practices with rank-and-file employees.
There are many examples of SolarWinds cyber failures that should have been detected during diligence. For example, according to the SEC, there were numerous instances where internal communications warned of vulnerabilities, including one in October 2018 that read, “current state of security leaves us in a very vulnerable state for our critical assets.” In a VentureBeat article (1), Michael Isbitski, director of the cybersecurity strategy at Sysdig, stated that many security gaps called out “remote access for unmanaged devices, threat modeling missteps, inadequate web application testing, inappropriate password management policies and weaker access controls.” It was also reported in the SEC complaint (2) that SolarWinds did not follow its own password protocol and used the default password “password.” During a House Committee hearing, it was disclosed that an intern set a critical file transfer protocol (FTP) password as “solarwinds123,” which was leaked onto the web. Based on the multitude of cyber failures identified in the SEC filing and other reports, it appears SolarWinds did not perform adequate ESG diligence.
The insurance companies’ failure to conduct adequate ESG cyber diligence costs a preventable $90 million in directors and officers insurance and other insurance claims, which will continue to grow as the SEC presses forward with their internal control failures and fraud claims. Additionally, companies and government agencies spent millions investigating and removing the virus. The damage caused by compromising proprietary government information is still not fully understood, making it all the more important to invest in ESG integration and diligence early on.
ESG procedures are designed to identify material risks that should be considered by non-investors who have a significant financial stake in a company’s activities. Underwriters, customers, and lenders can all take advantage of the same tools used by investors during their pre-engagement due diligence. Spending the time and effort to apply diligence on critical vendors can save a company from the damage SolarWinds experienced from overlooking the value of ESG integration.
Spend the time now to save a lot of time and money later! Let Withum’s Environmental, Social and Governance Services Team do your due diligence for you and make your ESG auditable.