SEC SolarWinds cyber probe puts companies on notice

A U.S. Securities and Exchange Commission letter seeking information from companies potentially affected by the SolarWinds Corp. hack last year signals the agency’s ongoing interest in adequate disclosure in the area of cyber risk and companies should take heed, experts say.

In the letter sent earlier this month, the federal agency said disclosure of whether the companies had been affected by the attack on the software maker was “voluntary,” and it said it would offer “amnesty” by not recommending enforcement actions against those that make voluntary disclosures.

It warned, though, there could be consequences for companies that failed to respond if a problem was later revealed, according to reports. The SEC had declined to comment. 

Experts say the SEC’s action, which reflects a continuation of an SEC policy that began during the Trump administration, should serve as a warning to all companies about the need to be actively involved in addressing cybersecurity.

U.S. regulators found a foreign actor’s breach of SolarWinds’ software in December 2020 gave hackers access to the data of thousands of companies and government offices that used its products. News of the hack sent SolarWinds’ share price tumbling, while cybersecurity stocks rallied.

Companies were given short notice to comply with the SEC’s request. The agency gave them until June 24 to say whether they would respond and until July 1 to provide the information, although extensions may be requested for “extenuating circumstances.” 

The situation indicates “we can expect more scrutiny” of cyber issues from regulators, said Matt McCabe, New York-based senior vice president in Marsh LLC’s cyber practice.

The letter “has the air of a sweep to enable the enforcement division to determine how broad an impact the breach had on issues in the securities industry,” said Jacob S. Frenkel, a member of Dickinson Wright PLLC in Washington and chair of government investigations and securities enforcement, and a former senior counsel in the SEC’s enforcement division.

The letter could have a broad impact because SolarWinds has a long list of customers, so if the SEC believes there was inadequate disclosure after the hack it could lead to enforcement actions, said Toby M. Galloway, shareholder and co-chairman, securities litigation and enforcement, at Winstead PC in Fort Worth, Texas. 

“Ultimately, I think it will lead to much more transparent disclosures about the impact of the hack and specifically its impact on customer information and data privacy,” he said.

Observers generally recommend the letter’s recipients comply with the requests.

“The lesson is, in the future, if you or your service provider has one of these data breaches, I think you have to make sure you’ve considered disclosure and control issues that are implicated as a result of that, because clearly we know that the SEC is interested in that,” said Jay A. Dubow, a partner with Troutman Pepper Hamilton Sanders LLP, who is a former staff attorney and branch chief for the SEC’s enforcement division.

The SEC is following the same approach as the Trump administration on cyber disclosures, experts say.

“I don’t feel like there’s been a ramp-up” during the Biden administration, said Mark D. Lytle, a partner with Nixon Peabody LLP in Washington, who served in the SEC’s enforcement division.

William Boeck, senior vice president, U.S. financial lines claims practice leader and global cyber product and claims leader for Lockton Cos. LLC in Kansas City, Missouri, said the response to the letter is more likely to affect directors and officers liability insurance than cyber insurance.

“Investors could argue the failure to disclose a cyber event left a stock artificially inflated,” which could be the basis of a shareholder class action, he said.