SolarWinds is preparing to incur significant costs related to the compromise of the company’s Orion IT management platform and has already spent more than $3 million to remediate the impacts of the massive hacking campaign.
Going forward, the company expects to incur costs related to the attack of up to $25 million in 2021.
That disclosure came during the company’s fourth quarter and year-end earnings report Thursday, which was otherwise positive. However, a major topic in the report and on the investor conference call to discuss earnings was the cyberattack.
CEO Sudhakar Ramakrishna said it a prepared statement that the attack on the company and its customers has taught them about the resiliency of the business, its employees and customers. Ramakrishna also committed to sharing the results of the company’s internal investigation once completed.
“We believe that this level of transparency and cooperation is critical to help address the broader issues that nation-state level cyber operations pose for the software industry,” Ramakrishna says.
“We have a strong foundation from which to grow, and to establish a model for the future of the software industry by delivering powerful, affordable, and secure solutions.”
This is the first earnings report the company has issued since the disclosure of the attack in December, which so far has compromised about 100 entities, including several sensitive U.S. government agencies.
According to SolarWinds’ financial reports, the company spent $3.5 million in December 2020 alone. That is significant, since the attack was only disclosed on Dec. 13.
Ramakrishna and CFO Barton Kalsu told investors that the attack will cost the company between $20 million and $25 million this year. Those costs include security initiatives, insurance increases and increases to professional service fees.
In a conference call with investors, Ramakrishna said the company is implementing improved cybersecurity practices and securing its product delivery process via automation and manual checks.
The company has also formed a new cybersecurity committee that is overseeing the response to the cyber incident, including advice to management and oversight of improvements.
“We’re committed to not only leading the way … but also sharing our learnings with the industry,” Ramakrishna says.
Other than the cyber incident, the company reported a generally positive fourth quarter, with revenue of $265.3 million, a 7.2% increase over the year prior.
However, the company’s first quarter outlook provided some insight into how the attack has impacted business, as the company expects revenue between $247 million to $252 million and EBITDA of $98 million to $101 million. For the first quarter of 2020, the company reported figures of $247 million and $110.9 million, respectively.