SEC “Sweep” of Public Companies’ & Registrants’ Responses to the SolarWinds Cyberbreach

James Lundy, Michael MacPhail, David Porteous, Isaac Smith
Faegre Drinker Biddle & Reath LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Faegre Drinker Biddle & Reath LLP

As publicly reported late last week, the Securities and Exchange Commission’s Division of Enforcement (SEC) sent voluntary requests for information to a range of public companies and investment firms seeking voluntary disclosure of information related to last year’s SolarWinds cyberattack. Specifically, the SEC is seeking information related to whether the companies and firms were exposed to the SolarWinds cyberattack and any remedial measures the companies and firms implemented in response.

SolarWinds, an IT, network, and systems software developer, disclosed in a filing with the SEC in December 2020 that a cyberattack had infiltrated its Orion monitoring product, which could allow the attacker to compromise the server on which the Orion product runs. SolarWinds disclosed that it believed that nearly 18,000 Orion customers downloaded the product containing the vulnerability and that it had notified all 33,000 users of the product that a cyberattack had taken place. The SolarWinds cyberattack was unprecedented in its scope and sophistication—including compromising nine U.S. federal agencies—leading the United States and other governments to blame the attack on an outside nation state actor.

The SEC’s requests for information appear to be part of a probe investigating whether companies and firms may have failed to disclose the effects of the SolarWinds cyberattack on their business, any related disclosures, and any contemplated self-reporting efforts. Federal securities laws require public companies and registrants to disclose material information that could affect their businesses—including cyberattacks.

In return for voluntary disclosure, the SEC stated in its requests that it was offering amnesty to companies that choose to participate (so long as they did not learn of the SolarWinds cyberattack prior to September 2020). While this amnesty and quasi-self-reporting guidance lacks clarity in certain ways, the SEC appeared to suggest that it would pursue enforcement actions with heightened penalties against companies and firms that do not come forward with responsive information. Further, the entities in receipt of this voluntary request were advised to preserve documents related to the SolarWinds cyberattack. Companies choosing to make a voluntary disclosure were advised they must notify the SEC of their intention to cooperate with the request by June 24, 2021, and to provide responsive information by July 1, 2021. Extensions were said to be available upon request only for “extenuating circumstances.”

Due to the complexity of the SEC guidance and the high-stakes nature of the requests, companies and firms receiving the investigative letters should consult with outside securities counsel regarding whether and how best to respond.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP
Faegre Drinker Biddle & Reath LLP
Contact
more
less

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide