On Friday, software company SolarWinds said the U.S. Securities and Exchange Commission had issued a Wells Notice to several of its current and former executives regarding a massive 2020 data breach which was related to the software company.

A Wells Notice does not necessarily mean any recipients have broken any specific laws. A Wells notice, issued by the SEC is usually issued when the regulator is planning to bring an enforcement action against the recipients.

In an emailed statement, a SolarWinds spokesperson said, “We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers.”

The spokesperson continued, “SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure.”

SolarWinds was the central figure in a cybersecurity crisis in December of 2020, after hackers exploited software updates by SolarWinds, using them to access confidential data at thousands of companies and government agencies which utilized its products.

The attack had gone on for months before it was detected, with affected organizations worldwide including the U.S. Treasury Department, the National Telecommunications and Information Administration (NTIA), NATO, the U.K. government, the European Parliament, Microsoft and others. Around 18,000 government and private users downloaded compromised versions of SolarWinds software, though it is believed hackers focused their data exfiltration on only the highest value targets.

The US government blamed the hack on the Russian government.

The SEC had recommended an enforcement action against the software firm over its statements in public on cybersecurity, and procedures surrounding such disclosures.