In a new case filed this week in federal court in Washington, the commission said it was investigating whether securities laws were violated after Covington was targeted by a cyberattack in November 2020, in which a foreign actor may have accessed nonpublic information about clients, including 298 regulated companies.
Covington is one of the largest and most prestigious Washington-based multinational law firms, with former Attorney General
The firm has securities and regulatory practices and also has served as legal adviser on some large deals, including Merck & Co.’s $11.5 billion
The commission said it subpoenaed Covington in March 2022 after learning of the breach, and that the law firm had produced some information. However, government lawyers said Covington refused to comply with part of the subpoena asking for information about potentially affected clients, citing “privilege and client confidentiality.”
Covington told the commission that only seven of the 298 clients at issue had “material non-public information,” or MNPI, that the “threat actor” accessed, modified, or took, according to the SEC court filing. The commission hadn’t been able to verify that information and disagreed with the firm’s determination of what was MNPI.
“As a large law firm with hundreds of public company clients, Covington is regularly in possession of MNPI, the theft of which puts investors at significant risk. Neither Covington’s position as a victim of a cyberattack, nor the fact that it is a law firm, insulate it from the commission’s legitimate investigative responsibilities,” the SEC argued in its filing.
Covington said in a statement it would fight the SEC’s effort to enforce the subpoena in court. The firm said that it had “promptly” turned over information to the commission and cooperated with the Federal Bureau of Investigation, but “we made clear to the SEC that we cannot voluntarily comply with any attempt by the agency to obtain client confidential information, including the identity of affected clients and attorney-client communications.”
“We regard the SEC’s action as an unwarranted attempt to intrude on client confidences and the attorney-client privilege, the protection of which is a fundamental ethical obligation of the legal profession,” the firm said in its statement.
The attacks occurred when a series of previously unknown vulnerabilities — called zero days — were exploited in on-premises Microsoft Exchange servers. Microsoft provided patches for the flaws in early March, but ultimately an estimated tens of thousands of global victims were infected with malware.
Ties to China
Those attacks were later attributed to actors — dubbed Hafnium — affiliated with the Chinese government. But as news of the flaws become public, other hacking groups joined in attacking the flaws in Microsoft’s email software.
Covington previously told the SEC that its own investigation found that the breach of its network targeted certain members of the firm in an effort to “to learn about policy issues of specific interest to China in light of the incoming Biden administration,” according to a June 2022 memo from the firm’s lawyers at Gibson Dunn included in the commission’s court papers.
The SEC didn’t identify in its filing specific companies potentially affected by the breach. Its lawyers argued that knowing which public companies had “material” information exposed would empower the agency to use other tools to look for any “suspicious trading” and to make sure those companies made required disclosures to investors and the public.
The agency said that it tried to work with the firm and to narrow the scope of its requests for information, but couldn’t reach an agreement.
Covington’s June memo argued that the commission’s “speculative need” didn’t outweigh the consequences for the firm’s protected attorney-client relationships.
In a statement on Thursday to Bloomberg News, the SEC enforcement head
“The request does not seek any information protected by the attorney-client privilege or other sensitive information; rather, it only requests the names of entities regulated by the commission whose data was maliciously and unlawfully breached as part of a cyberattack against Covington,” Grewal added.
The case is Securities and Exchange Commission v. Covington & Burling, 23-mc-00002, US District Court, District of Columbia (Washington).
(Updates with comment from SEC enforcement head in final two paragraphs.)
--With assistance from
To contact the reporter on this story:
To contact the editors responsible for this story:
Elizabeth Wasserman, Peter Jeffrey
© 2023 Bloomberg L.P. All rights reserved. Used with permission.