[BreachExchange] SEC Investigating Companies’ Handling of SolarWinds Attack

[Sophia Kingsbury]

https://www.bloombergquint.com/onweb/sec-investigating-companies-handling-of-solarwinds-cyberattack

The Securities and Exchange Commission is investigating how companies
responded to last year’s SolarWinds Corp. hack, which rippled through
computer systems across the U.S. government and corporate America.

The SEC is seeking to determine whether public-company victims made
appropriate disclosures to investors, if there was suspicious trading
related to the cyberattack and whether private data was compromised, said
people with direct knowledge of the matter who asked not to be named
because the probe is private.

The SEC sent letters last week to companies that it believes were impacted,
asking that they provide details on how their businesses were harmed, the
people said. To encourage cooperation, the regulator signaled it wouldn’t
penalize firms that share data voluntarily.

The attackers installed malicious code in updates for popular software from
SolarWinds, which was widely used by the government and corporations. In
all, nine federal agencies and about 100 companies were infiltrated by the
hackers via SolarWinds and other methods. While the motives behind the
breach remain unclear, the U.S. blamed Russia and sanctioned dozens of
entities and officials in April. For its part, Russia has denied any
involvement.

SolarWinds told investors in March that there are numerous investigations
stemming from the hack, including examinations being conducted by the SEC,
Justice Department and state attorneys general. The company said it’s
cooperating with the probes.

Under U.S. securities laws, public companies must disclose information
that’s important enough to be considered material to an investor’s decision
to buy or sell a stock -- including cyberattacks. The SEC letter came from
the agency’s enforcement division, which is responsible for investigating
and punishing firms.

As part of its letter, the SEC warned that companies might face sanctions
down the road if they committed wrongdoing and don’t take advantage of the
agency’s offer to come clean. The SEC also told firms that they could still
be fined for violations of insider-trading rules or what’s known as
Regulation Fair Disclosure, a requirement that businesses release material
information to all shareholders at the same time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210622/8db3539a/attachment.html>