Content, Breach

SolarWinds Cyberattack Cleanup Costs: SWI Earnings, Senate & House Hearings May Provide Clues

Roughly two months after disclosing the SolarWinds Orion cyberattack, the IT management software company is scheduled to disclose quarterly results on February 25, and SolarWinds CEO Sudhakar Ramakrishna this week is expected to testify amid Washington, D.C., hearings about the cyberattack.

A detailed timeline tracking the SolarWinds Orion cyberattack and investigation is here. To be clear, the attack did not target or hit the SolarWinds MSP business division (soon to be called N-able) and associated MSP software, the company says.

Among the information that hasn't been publicly discussed in detail:

  1. Cleanup Costs: How much will the cyberattack cost SolarWinds to clean up?
  2. Revenue Impact?: Did the attack and associated SolarWinds disclosure trigger potential buyer concerns, lost revenue at the software company, or any type of revenue pressure in the SolarWinds MSP business division?

Answers to those two questions could surface during the SolarWinds Q4 2020 earnings call on February 25, MSSP Alert believes. And the overall scope and impact of the attack will surely take the spotlight during hearings in Washington, D.C.

New SolarWinds CEO Expected to Testify

Sudhakar Ramakrishna, CEO, SolarWinds
Sudhakar Ramakrishna, CEO, SolarWinds

Indeed, the Senate Intelligence Committee will hold a hearing on the hack on February 23, The Hill reports. Plus, the U.S. House of Representatives’ Oversight and Homeland Security Committees will hold a joint hearing about the cyberattack on Friday, February 26, Reuters reports. Testimony from new SolarWinds CEO Sudhakar Ramakrishna is expected at both hearings, the reports say.

Ramakrishna joined the software company less than two months ago as part of a CEO transition plan that was announced in mid-2020 -- before the hack was discovered in December 2020.

Ramakrishna officially started as CEO on January 4, 2021. Only a few days later, he became the public face of SolarWinds and the hack investigation. By January 8, 2021, Ramakrishna published a blog explaining the hack investigation and SolarWinds' top three security priorities.

Fast forward to an interview with The Wall Street Journal published on February 2, 2021, and Ramakrishna said the software company's response to the security incident will end up costing SolarWinds millions of dollars. How many millions? Perhaps that earnings call will provide more clues.

Customer Inquiries About the SolarWinds Hack: What Should MSPs, MSSPs Say?

No doubt, MSPs and MSSPs should expect a flood of media headlines about the SolarWinds earnings plus the hearings in Washington, D.C., this week. If customers read those headlines and raise questions, what exactly should MSPs and MSSPs say?

As I stated in a detailed ChannelE2E blog about the N-able Spin-Out and SolarWinds Hack Investigation Findings, MSPs should start (and stick) with the truth:

  • A forensic investigation by KPMG and a threat hunt by CrowdStrike says the hack did not involve SolarWinds MSP’s software.
  • Nevertheless, SolarWinds MSP is taking more steps to safeguard its software development and business from attacks.
  • SolarWinds MSP is nearing the completion of a rebrand and will soon be known as N-able.
  • A spin-out of N-able as an independent company in Q2 is likely (MSSP Alert and ChannelE2E believe -- so technically, this bullet is a strong opinion rather than fact).
  • No software company is fully immune to cyberattacks.
  • Every business in the MSP supply chain — from software company to MSP to end-customer — should regularly perform a risk analysis using the NIST cybersecurity framework.
  • When’s the last time your business underwent such a risk analysis?
Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.