Americas, Content

SEC Probes SolarWinds Customers on Data Breach Disclosures

The Securities and Exchange Commission is looking into whether some companies hit by the SolarWinds Orion cyberattack failed to divulge the breach as legally required, Reuters reported.

U.S. securities law requires companies to disclose material information, including data breaches, that could affect their share prices or other relevant details. The SEC reportedly sent letters to public issuers and investment firms asking them to voluntarily disclose the following information that could be tied to data protection policies

  • Were they victims of the hack and failed to disclose it?
  • Did public companies involved in the incident experience an internal controls failure?
  • Related information on insider trading.

Should the public issuers and investment firms provide pertinent information about the security breaches, the SEC will not take any enforcement actions for incident or policy failures related to prior events, the report said. The agency’s SolarWinds investigation may not be a one-off, Reuters’ sources said, and might lead to new regulations on the impact of data breaches on stock price and investors.

“Our top priority since learning of this unprecedented attack by a foreign government has been working closely with our customers to understand what occurred and remedy any issues,” a SolarWinds spokesperson told Reuters. The company has been transparent with government agencies in the investigation, the spokesperson said.

The SEC SolarWinds probe comes on the heels of President Biden's executive order issued in May 2021 that referred to the role of IT service providers in cybersecurity more than dozen times.

Word surfaced late last month that the hacking crew behind the SolarWinds attack is targeting U.S. government agencies in a phishing expedition has legislators urging President Biden to tighten economic sanctions on Moscow. With word that the same group is newly engaged in Moscow’s continued cyber espionage operations, some Democratic lawmakers are calling for the Biden administration to squeeze harder.

The attacks offer a timely reminder for MSPs and MSSPs to offer cybersecurity awareness training services — which typically familiarize customers with phishing-type emails. A detailed timeline tracking the SolarWinds cyber attack and investigation is here.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.