As publicly reported late last week, the Securities and Exchange Commission’s Division of Enforcement (SEC) sent voluntary requests for information to a range of public companies and investment firms seeking voluntary disclosure of information related to last year’s SolarWinds cyberattack. Specifically, the SEC is seeking information related to whether the companies and firms were exposed to the SolarWinds cyberattack and any remedial measures the companies and firms implemented in response.
SolarWinds, an IT, network, and systems software developer, disclosed in a filing with the SEC in December 2020 that a cyberattack had infiltrated its Orion monitoring product, which could allow the attacker to compromise the server on which the Orion product runs. SolarWinds disclosed that it believed that nearly 18,000 Orion customers downloaded the product containing the vulnerability and that it had notified all 33,000 users of the product that a cyberattack had taken place. The SolarWinds cyberattack was unprecedented in its scope and sophistication—including compromising nine U.S. federal agencies—leading the United States and other governments to blame the attack on an outside nation state actor.
The SEC’s requests for information appear to be part of a probe investigating whether companies and firms may have failed to disclose the effects of the SolarWinds cyberattack on their business, any related disclosures, and any contemplated self-reporting efforts. Federal securities laws require public companies and registrants to disclose material information that could affect their businesses—including cyberattacks.
In return for voluntary disclosure, the SEC stated in its requests that it was offering amnesty to companies that choose to participate (so long as they did not learn of the SolarWinds cyberattack prior to September 2020). While this amnesty and quasi-self-reporting guidance lacks clarity in certain ways, the SEC appeared to suggest that it would pursue enforcement actions with heightened penalties against companies and firms that do not come forward with responsive information. Further, the entities in receipt of this voluntary request were advised to preserve documents related to the SolarWinds cyberattack. Companies choosing to make a voluntary disclosure were advised they must notify the SEC of their intention to cooperate with the request by June 24, 2021, and to provide responsive information by July 1, 2021. Extensions were said to be available upon request only for “extenuating circumstances.”
Due to the complexity of the SEC guidance and the high-stakes nature of the requests, companies and firms receiving the investigative letters should consult with outside securities counsel regarding whether and how best to respond.