Recently, many of our clients have received similar requests from the staff of the SEC's Division of Enforcement related to the December 2020 SolarWinds cyberattack. We confirmed with the SEC staff that the request is legitimate and are happy to discuss your response at your convenience.
In broad strokes, the SEC is offering amnesty to companies who voluntarily disclose (i) how the company was impacted by the SolarWinds cyberattack, and (ii) any remedial actions the company implemented in response, to the extent that those voluntary disclosures show that the company failed to make prior required disclosures or maintain adequate internal controls. Companies must also preserve documents related to the SolarWinds cyberattack, and any other cyberattack since October 2019. Companies that learned of the SolarWinds cyberattack before September 2020 are ineligible for amnesty.
Companies must inform the SEC whether they intend to provide the requested information by June 24, 2021, and provide the information by July 1, 2021, although extensions may be requested for "extenuating circumstances."
Amnesty will not extend to other securities violations related to the SolarWinds cyberattack (e.g., Reg FD violations or insider trading). If a company chooses not to participate and the SEC otherwise learns that the company did not appropriately disclose or prevent/remediate the SolarWinds cyberattack, the SEC intends to pursue enforcement actions with heightened penalties.
Although the SEC did not disclose how it selected recipients of the voluntary request, SolarWinds previously disclosed DOJ, SEC and state AG investigations related to the cyberattacks (in addition to civil litigations), so the SEC may have SolarWinds data and documents, including customer lists.