A recent inquiry by the U.S. Securities and Exchange Commission (SEC) into the massive SolarWinds cyberattack traced to Russian operatives has left the US business landscape on edge. Corporate leaders are concerned that the investigation could reveal previously undisclosed cyber incidents, potentially subjecting them to legal vulnerabilities.
Records related to all potential data breaches or cyber extortion incidents since October 2019 linked to updates from SolarWinds Corp are sought by the SEC, as per information obtained by Reuters.
Such demands may expose a series of cyberattacks that corporations have not yet reported, thereby bringing to light incidents that companies had hoped would remain undisclosed.
A corporate consultant, who chose to remain anonymous, said to Reuters, “This is unprecedented.” The consultant, who works with many public companies that received the SEC request, voiced concerns over how the SEC might utilize the disclosed information, especially regarding breaches that were not previously reported.
While complying with the SEC’s information requests is categorized as voluntary, companies feel compelled to respond due to the requests originating from the SEC’s enforcement division, hinting at potential repercussions for non-compliance, according to four lawyers familiar with the matter.
An SEC representative explained that the probe particularly targets finding other breaches connected to the SolarWinds incident.
While the SEC has reassured firms that they won’t face penalties for voluntarily reporting information on the SolarWinds cyberattack, no such assurances were extended for prior unreported incidents.
In their quest for more information, the SEC delivered letters to several hundred companies in August 2021. This figure surpasses the 100 entities that the Department of Homeland Security indicated downloaded the compromised SolarWinds software, subsequently exploited by the attackers.
The disclosure of the Orion security breach by SolarWinds was made in December 2019. The attack, which is believed to be orchestrated by hackers linked to Russia, has affected a multitude of U.S. federal agencies, businesses, and consultancies.
The increasing frequency of cyber intrusions on U.S. companies and government entities has raised alarms within the highest ranks of federal governance. It’s believed that the failure of companies to disclose these breaches has obscured the full scope of the issue and hampered efforts to identify and address critical vulnerabilities.
To date, approximately two dozen firms, including technology giants Microsoft Corp, Cisco Systems, FireEye Inc, and Intel Corp have affirmed experiencing a data breach. Of these, only Cisco has acknowledged receiving a letter from the SEC.
Other significant entities likely targeted for hacking, according to cybersecurity experts, include software firm Qualys Inc, and energy titan Chevron Corp, both of whom declined to comment regarding the SEC’s investigation.
About 18,000 clients downloaded an affected version of SolarWinds’ software, which malefactors had accessed. Yet, merely a fraction of these companies experienced active hacking attempts or system breaches.
The SEC dispatched an initial communique to all implicated companies in June, followed by a subsequent notification in August.
The ongoing examination is “unprecedented,” expressed Jina Choi, a partner at Morrison & Foerster LLP and a former director at the SEC, who has considerable experience with cybersecurity legal issues. Choi, in a conversation with Reuters, noted that such a widespread investigation had not been publicly declared, making it difficult to decipher the SEC’s intentions.
Nearly a decade ago, the SEC set forth guidelines for entities affected by cybersecurity issues, with an update in 2018, yet reports of significant breach events by companies have been scarce.
Jay Dubow, a former SEC official, posits that the SEC’s current endeavors aim to grasp the full impact and ramifications of the breach. He posed the question, “With SolarWinds and a multitude of their clients being publicly-traded firms and government agencies, how can the SEC efficiently determine the extent of the breach’s impact?”
Previously, the SEC adopted a lenient stance towards hacking victims. However, under the new leadership of Gary Gensler, the SEC is adopting a more assertive approach to enforcing disclosure requirements spanning cybersecurity to environmental risks.
The lingering aftermath of the SolarWinds cyberattack, which took place almost nine months past, has yet to be fully disclosed.
Despite being impacted by the data breach, most corporations are hesitant to acknowledge their compromised data security publicly. The incident is often used as a cautionary tale to emphasize the need for enhanced cybersecurity measures rather than an admission of a security lapse.
John Reed Stark, a former chief of the SEC’s internet enforcement division, stated that responding to the SEC’s thorough inquiries will be challenging for companies. Stark anticipates that the SEC is likely to find discrepancies in previous disclosures made by these firms.