Skip to content

Enforcement Highlights

  • About Us
  • Contact
  • Cookie Policy
Enforcement
Highlights

Covering SEC, CFTC, FINRA, PCAOB, States, Exchanges, & FCA Enforcement Activities

SEC “Sweep” of Public Companies’ & Registrants’ Responses to the SolarWinds Cyberbreach

As publicly reported late last week, the Securities and Exchange Commission’s Division of Enforcement (SEC) sent voluntary requests for information to a range of public companies and investment firms seeking voluntary disclosure of information related to last year’s SolarWinds cyberattack. Specifically, the SEC is seeking information related to whether the companies and firms were exposed to the SolarWinds cyberattack and any remedial measures the companies and firms implemented in response.

SolarWinds, an IT, network, and systems software developer, disclosed in a filing with the SEC in December 2020 that a cyberattack had infiltrated its Orion monitoring product, which could allow the attacker to compromise the server on which the Orion product runs. SolarWinds disclosed that it believed that nearly 18,000 Orion customers downloaded the product containing the vulnerability and that it had notified all 33,000 users of the product that a cyberattack had taken place. The SolarWinds cyberattack was unprecedented in its scope and sophistication—including compromising nine U.S. federal agencies—leading the United States and other governments to blame the attack on an outside nation state actor.

The SEC’s requests for information appear to be part of a probe investigating whether companies and firms may have failed to disclose the effects of the SolarWinds cyberattack on their business, any related disclosures, and any contemplated self-reporting efforts. Federal securities laws require public companies and registrants to disclose material information that could affect their businesses—including cyberattacks.

In return for voluntary disclosure, the SEC stated in its requests that it was offering amnesty to companies that choose to participate (so long as they did not learn of the SolarWinds cyberattack prior to September 2020). While this amnesty and quasi-self-reporting guidance lacks clarity in certain ways, the SEC appeared to suggest that it would pursue enforcement actions with heightened penalties against companies and firms that do not come forward with responsive information. Further, the entities in receipt of this voluntary request were advised to preserve documents related to the SolarWinds cyberattack. Companies choosing to make a voluntary disclosure were advised they must notify the SEC of their intention to cooperate with the request by June 24, 2021, and to provide responsive information by July 1, 2021. Extensions were said to be available upon request only for “extenuating circumstances.”

Due to the complexity of the SEC guidance and the high-stakes nature of the requests, companies and firms receiving the investigative letters should consult with outside securities counsel regarding whether and how best to respond.

 

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
June 23, 2021
Written by: Michael MacPhail, David W. Porteous and Isaac Smith
Category: Investment Advisers and Broker Dealers, Public Companies, Accounting, and Auditing

Post navigation

Previous Previous post: Chair Gensler Overhauls PCAOB
Next Next post: Chair Gensler Appoints NJ AG SEC Enforcement Director

Subscribe to Email Alerts

Categories

  • Compliance and Supervision
  • Futures and Derivatives
  • Hedge Funds and Private Equity
  • Insider and Manipulative Trading
  • Investment Advisers and Broker Dealers
  • Municipal Bond Offerings
  • Public Companies, Accounting, and Auditing

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Contact
  • Cookie Policy
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT