The Canada Pension Plan Investment Board (CPPIB), Canada’s largest pension fund, was a victim of both cybercrime and bad timing when it lost an estimated $113 million just days after it bought a roughly 5% stake in Texas-based software company SolarWinds.
On Dec. 9, SolarWinds reported in press release that CPPIB had acquired an approximate 5% stake in the company for $315 million from private equity firm shareholders Silver Lake and Thoma Bravo. According to a US Securities and Exchange Commission (SEC) filing, the stake was acquired at a price of $21.97 per share of SolarWinds stock.
But just over a week later, on Dec. 17, SolarWinds revealed that it had been the victim of a “very sophisticated cyberattack” in which hackers compromised the firm’s Orion monitoring and management software. US intelligence blamed the hack on Russian government-backed operatives. As a result of the announcement, SolarWinds’ stock fell to an intra-day low of $13.98, or 36% below what CPPIB paid for its stake.
Although Silver Lake and Thoma Bravo said they didn’t know about the hack until after the sale, legal experts say the deal will likely be investigated by the SEC to determine if information was withheld about the possibility of a hack, according to a Washington Post report. The report said CPPIB will also likely look into whether the private equity companies breached their contract by failing to disclose any known cybersecurity risks.
“To the best of our knowledge, no one was aware of the hack leading to our capital commitment,” Michel Leduc, CPPIB’s senior managing director, said in a statement to the Post. However, he also said that CPPIB is “always focused on the very best interests of the fund and we will continue to assess the circumstances for optimal certainty.”
Complicating the matter as to what SolarWinds and its owners knew and when they knew it is a report from Bloomberg that a SolarWinds security adviser had warned company executives of cybersecurity risks three years ago. Ian Thornton-Trump reportedly gave a presentation to three SolarWinds executives in 2017 urging them to hire a cybersecurity senior director because he believed a major cybersecurity breach was inevitable.
Silver Lake and Thoma Bravo partnered to buy out SolarWinds in 2014 and then took the company public in 2018. According to CPPIB’s website, it has invested $3 billion in Silver Lake funds and $1.1 billion in Thoma Bravo funds since 2004.