EXECUTIVE SUMMARY:

The US Securities and Exchange Commission (SEC) has begun to ask publicly traded technology, finance and energy sector firms about fallout from the SolarWinds breach. The SEC intends to determine whether or not select organizations may have deliberately withheld details to protect reputations.

In the United States, firms are legally obligated to disclose incidents that might affect share prices. However, some businesses aim to sidestep cyber security disclosures, as to avoid enforcement actions and penalties. Other businesses unintentionally miss the opportunity to report breaches. The SEC says that organizations that respond to the SEC’s latest set of letters will avoid potential legal repercussions related to “historical failures.”

SEC SolarWinds investigation

The first round of letters from the SEC were distributed in June of this year. Companies that did not respond to the initial letter received a follow-up letter more recently.

Compliance with the SEC’s request is strictly voluntary. However, organizations worry that lack of compliance could represent cause for concern among officials. And yet at the same time, full compliance might reveal previously undisclosed cyber security breaches within organizations.

The SEC has asked organizations to provide “any other” cyber security or ransomware attack information that may have been omitted or glossed over in previous reports or discussions. Specifically, the SEC requests information that’s from October of 2019 and newer.

Looking at unreported incidents

Those familiar with the investigation note that the sweeping request could provide the SEC with a rare glimpse into incidents that firms never wanted to disclose. “What companies are concerned about is they don’t know how the SEC will use this information. And most companies have had unreported breaches since then,” says one anonymous SEC consultant.

The SEC asserts that the request’s intent is to identify breaches that may be related to the SolarWinds software incident. In the long run, findings may inform future domestic cyber security policies.

Across the past year, cyber incidents have increased in frequency and impact. The White House has called for public-private partnerships around cyber security. President Joe Biden encouraged all companies to “raise the bar.”

The SEC’s sweeping investigation has been labeled “unprecedented.” Former SEC official Jay Dubow questions whether or not this was the most effective means of collecting the desired data. Only time will tell.

The next SolarWinds

Existing SEC filings by corporate groups describe SolarWinds as a type of attack that they may experience in the future. Among organizations that reported an accidental install of the malicious Orion software, the majority contend that their sensitive information did not leave internal systems.

Organizations continue to struggle with questions around whether or not SolarWinds attackers stole data. In annual filings, some companies have acknowledged the potential for loss or theft of data that could result in adverse business consequences. Although the SolarWinds attack took place more than nine months ago, the extent of the espionage and the effects still remain largely unknown.

If you would like to better understand the SolarWinds threats and what they might mean for your business, click here. For information about planning for the next potential SolarWinds-like event, click here. To get more exclusive cyber security insights, breaking news, and the latest tech trends, sign up for Cyber Talk’s newsletter.