Board Pack (SEC v. SolarWinds Corp. et al.)¶
Use this to brief executives and counsel.
Purpose¶
This board brief provides decision-useful context for the SUNBURST supply-chain incident, SEC enforcement alleging disclosure and controls issues, subsequent motion practice and stipulated dismissal, and ongoing technical and governance lessons. It is designed to help the board evaluate governance adequacy, remediation priority, and reporting cadence across legal, technical, and operational dimensions.
Hallucinated writing examples¶
Scenario: In an illustrative period after the SEC filed its October 2023 complaint and after later dismissal on stipulated terms (time), the Chief Information Security Officer (role) prepares a board security brief (type) for Board Audit Committee (audience).
MEMORANDUM
This memorandum summarizes the December 2020 public disclosure of the SUNBURST campaign affecting Orion customers, the SEC’s October 30, 2023 civil enforcement action against SolarWinds and related individuals alleging fraud and controls failures tied to cybersecurity disclosures, subsequent district court motion practice (including a reported decision at 741 F. Supp. 3d 37), and the parties’ stipulated dismissal with prejudice reflected in SEC Litigation Release LR-26423 (2025). Dismissal ends this enforcement action but does not eliminate operational lessons for build security and investor communications.
Incident Summary: SUNBURST involved compromise of the software build and distribution chain, enabling insertion of malicious code into Orion updates and affecting numerous customers globally. The incident triggered intense customer incident response, government coordination, and scrutiny of development environment security and integrity controls.
Enforcement theories (as alleged) emphasized gaps between internal security assessments and public statements about cybersecurity risk and program maturity.
Regulatory and Legal Outcomes: The SEC action sought injunctive and other relief under the federal securities laws. After motion practice, the action was dismissed with prejudice on stipulated terms in 2025. Customer litigation, contractual indemnity, and reputational effects may persist. Management continues to invest in pipeline security, customer trust programs, and disclosure control testing under counsel guidance.
Control Failures and Root Causes: Allegations and public postmortems have emphasized themes including:
- Insufficient segregation and monitoring of build and release infrastructure;
- Weaknesses in secure SDLC, artifact signing, and tamper detection for distributed software;
- Risk that internal vulnerability or assessment information was not adequately reflected in public disclosures;
- Challenges coordinating technical facts with Finance and Legal for periodic reports during a fast-moving supply-chain crisis.
These areas are the focus of our remediation plan.
Remediation and Oversight Program: The Company is implementing SLSA-style build attestations, expanded PAM and MFA for build systems, secret and key management hardening, anomaly detection on publishing pipelines, SBOM practices for releases, customer-facing incident playbooks, and recurring disclosure-control tests with documented remediation of exceptions.
Approval and Endorsement Requests: Management requests the Committee’s approval of capital for pipeline security engineering and signing infrastructure; endorsement of a policy that security assessment results route through disclosure review when material to public statements; and confirmation of quarterly metrics on build attestation coverage, build-system patch latency, and disclosure test exceptions.
Please let me know if additional information or further detail would be helpful.
Respectfully submitted,
Chief Information Security OfficerDocument-type guide: Board Security Brief
Writing tips: Writing best practices — Board Security Brief