SolarWinds paid its top leaders more than US$65 million in total last year despite a colossal breach that exposed 18,000 customers to Russian foreign intelligence service hackers.
The embattled IT infrastructure management vendor said Friday that it didn’t make any adjustments to its 2020 performance-based executive compensation after the hack, according to a filing with the U.S. Securities and Exchange Commission. SolarWinds has already spent at least US$21.5 million to clean up and recover from the cyberattack, which includes US$3.5 million in expenses incurred in December 2020.
SolarWinds told investors the cyberattack may impact future decisions about the company’s executive compensation program. But half the SolarWinds executives in charge at the time of the hack won’t be impacted by future cuts since CEO Kevin Thompson and CTO Woong Joseph Kim have already left the company, while SolarWinds MSP President John Pagliuca will move to N-able once the spin-off is complete.
In total, SolarWinds’ top six executives earned a combined US$65.03 million in 2020, with US$59.66 million – or nearly 92 percent – of it coming in the form of stock-based compensation.
SolarWinds said a significant majority of the executive compensation disclosed Friday relates to equity grants issued during the first quarter of 2020 or grants modified during the year due to COVID-19. The full value of the equity grants isn‘t realized by the executive unless they remain employed throughout the applicable vesting period, which can extend up to four years, according to SolarWinds.
SolarWinds spread the wealth in 2020, with all six named executive officers reaping stock awards above US$5 million despite the company’s stock price falling by nearly 20 percent last year. Thompson got US$23.9 million in stock awards; Kim got US$8.8 million; CRO David Gardiner got US$7.9 million; CFO Barton Kalsu got US$6.9 million; Chief Administrative Officer Jason Bliss got US$6.3 million; and Pagliuca got US$5.9 million.
Thompson’s total pay package came in at US$25.5 million, and included an US$875,000 bonus payment. That’s 344 times greater than the US$74,180 median compensation for SolarWinds’ 3,339 employees other than Thompson, according to SEC filings.
After stepping down as CEO at the end of 2020, SolarWinds agreed to pay Thompson an additional US$312,500 through the end of May to help the company defend itself in investigations. Thompson led the firm from the time the hackers got a foothold in the Orion software through when news of the attack went public.
The New York Times said in January that common security practices were eschewed during Thompson’s tenure because of their expense, and some of those eschewed measures may have put SolarWinds and its customers at greater risk for attack. He testified before the House of Representatives Feb. 26, where he was asked about a whistleblower report that raised concerns with the company’s security practices.
Investors who are concerned about SolarWinds’ pay practices have limited recourse. There will be a shareholder vote on the company’s executive compensation plan May 28, but the vote is non-binding, meaning that SolarWinds isn’t forced or compelled to take any specific action if most shareholders object. Investors have opposed Palo Alto Networks’ executive pay plans for three years running now.
Nearly 78 percent of SolarWinds’ stock is owned by Silver Lake and Thoma Bravo, who bought the company outright for US$4.5 billion in February 2016 and then took it public again in late 2018. The private equity firms sold US$286 million of SolarWinds stock just days before the company announced a new CEO and disclosed the cyberattack. The firms said they weren’t aware of the hack at the time of the sale.
Picking up the pieces following the months-long Orion hacking campaign will be a costly endeavor for SolarWinds. New CEO Sudhakar Ramakrishna told investors in late February that the company expects to spend between US$20 million and US$25 million on security initiatives this year, with some of the money used to cover higher costs around both insurance and professional fees stemming from the breach.
SolarWinds expects to spend between US$18 million and US$19 million cleaning up from the cyberattack in the first quarter of 2021 alone, the company disclosed Tuesday. That’s in addition to the US$3.5 million SolarWinds spent in the final weeks of December probing and recovery from the hack. SolarWinds has US$15 million of cybersecurity insurance coverage, and expects that’ll cover a good portion of the costs.
The company also faces numerous lawsuits and investigations related to the hack, with SolarWinds admitting it’s “reasonably possible” the company could incur losses in the process. Multiple class-action lawsuits accuse SolarWinds, Thompson and Kalsu of making materially false and misleading statements about the company’s security posture. SolarWinds said it disputes the allegations in the complaints.
In addition, SolarWinds said the Department of Justice, the Securities and Exchange Commission, various state Attorneys General have launched investigations into the cyberattack. The company said it also faces inquiries under various privacy regulations such as the European Union’s General Data Protection Regulation. SolarWinds expects to incur costs in connection with these investigations and inquiries.