Publications
Publications
- October 2022 (Revised September 2023)
- HBS Case Collection
SolarWinds Confronts SUNBURST (A)
Abstract
On December 12, 2020, SolarWinds learned that malware had been inserted in its software, potentially granting hackers access to thousands and thousands of its 300,000 customers. General Counsel Jason Bliss needed to orchestrate the company response without knowing how many of its customers had been affected, or how severely. The SolarWinds CEO was already scheduled to step down within three weeks, and the incoming CEO was as yet unaware of the incident. Bliss needed to address three immediate issues. First, did the incident qualify as a material event, and if so, what information did SolarWinds need to report to whom, and when? Second, what posture should SolarWinds take with respect to its customers and to the media, where the news was expected to break within a day? Third, how should SolarWinds balance helping its customers understand and recover from the breach with protecting itself from a negative stock price impact and potential legal implications?
Keywords
Cyberattacks; Cybersecurity; Corporate Disclosure; Crisis Management; Customer Focus and Relationships; Legal Liability; Information Technology Industry; United States
Citation
Nagle, Frank, George A. Riedel, William R. Kerr, and David Lane. "SolarWinds Confronts SUNBURST (A)." Harvard Business School Case 723-357, October 2022. (Revised September 2023.)