Welcome

SEC Investigating Companies’ Handling of SolarWinds Attack (1)

June 21, 2021, 5:36 PM

The Securities and Exchange Commission is investigating how companies responded to last year’s SolarWinds Corp. hack, which rippled through computer systems across the U.S. government and corporate America.

The SEC is seeking to determine whether public-company victims made appropriate disclosures to investors, if there was suspicious trading related to the cyberattack and whether private data was compromised, said people with direct knowledge of the matter who asked not to be named because the probe is private.

The SEC sent letters last week to companies that it believes were impacted, asking that they provide details on how their businesses were harmed, the people said. To encourage cooperation, the regulator signaled it wouldn’t penalize firms that share data voluntarily.

An SEC spokesperson declined to comment.

Read More: The Facts and Mystery About Russia’s SolarWinds Hack

The attackers installed malicious code in updates for popular software from SolarWinds, which was widely used by the government and corporations. In all, nine federal agencies and about 100 companies were infiltrated by the hackers via SolarWinds and other methods. While the motives behind the breach remain unclear, the U.S. blamed Russia and sanctioned dozens of entities and officials in April. For its part, Russia has denied any involvement.

SolarWinds told investors in March that there are numerous investigations stemming from the hack, including examinations being conducted by the SEC, Justice Department and state attorneys general. The company said it’s cooperating with the probes.

Under U.S. securities laws, public companies must disclose information that’s important enough to be considered material to an investor’s decision to buy or sell a stock -- including cyberattacks. The SEC letter came from the agency’s enforcement division, which is responsible for investigating and punishing firms.

As part of its letter, the SEC warned that companies might face sanctions down the road if they committed wrongdoing and don’t take advantage of the agency’s offer to come clean. The SEC also told firms that they could still be fined for violations of insider-trading rules or what’s known as Regulation Fair Disclosure, a requirement that businesses release material information to all shareholders at the same time.

(Updates with details on SEC’s request in final paragraph)

To contact the reporter on this story:
Ben Bain in Washington at bbain2@bloomberg.net

To contact the editors responsible for this story:
Jesse Westbrook at jwestbrook1@bloomberg.net

Andrew Martin

© 2021 Bloomberg L.P. All rights reserved. Used with permission.

To read more articles log in.

Learn more about a Bloomberg Law subscription.