Sept 13– In the US, the Securities and Exchange Commission (SEC) is launching a new investigation into the SolarWinds attack. Dozens of corporate executives have expressed concern, as the expanded probe could mean the unearthing of cyber security lapses and unreported data breaches, which may predispose organizations to federal penalties.
In the SEC’s letter to specific organizations, requests were made for “any other” 2019-or-newer data breach records or ransomware attack information. Those familiar with the SEC request state that corporate documentation may reveal an unprecedented level of insight.
Corporate America: The fear
Corporate groups are worried about how the SEC will ultimately use the information provided. An SEC consultant noted that the majority of companies have experienced cyber security incidents since 2019.
Although the requests are voluntary, failure to comply could raise red flags within the SEC. Conversely, disclosure of breaches could mean new SEC investigations and fines.
According to the SEC, the intention is to find other breaches that may be adjacent to the SolarWinds episode. The SEC has stated that companies will not see penalties for data disclosure pertaining to this investigation.
Who received the SEC’s letter
Organizations that received the SEC’s letter include those within the technology, finance and energy sectors. Hundreds of letters were distributed, and recipients are thought to have been affected by the SolarWinds hack. The number of organizations involved in the inquiry exceeds the number that the Department of Homeland Security initially reported as experiencing the SolarWinds software event.
The SolarWinds victims
Media outlets reported that more than 18,000 of SolarWinds clients unintentionally downloaded the malicious software. However, subsequent reporting shows that only a small fraction of those organizations witnessed further “follow-on” hacking. The number of organizations infected by the malware surpasses the number of organizations that experienced related incidents.
The SEC’s sweeping investigation, which was not publicly announced, has left organizations concerned about their future. Since the 2018 breach guidance was released, many firms have offered vague accounts of breaches or have used boilerplate language to describe them.
Former head of the SEC’s office of internet enforcement, John Reed Stark, says “companies will struggle to answer these questions – not just because these are broad, sweeping and all-encompassing requests, but also because the SEC is bound to discover some sort of mistake.”
For more information about the SEC’s new investigation, visit Reuters.