The U.S. Securities and Exchange Commission (SEC) probe into the SolarWinds hack by Russian authorities has led to some anxiety among corporate executives about unearthing some information related to previous attacks, exposing them to liability.
The SEC is asking companies to turn over records into “any other” data breach or ransomware attack since October 2019 related to any downloads of network-management software update from SolarWinds Corp, according to details of the letters shared with Reuters.
This demand might unravel many unreported cyber incidents unrelated to the Russian espionage, giving the SEC an insight into previously unknown incidents that the companies never intended to disclose.
“I’ve never seen anything like this,” said a consultant who refused to be named, and works with dozens of publicly traded companies that recently received the request. “What companies are concerned about is they don’t know how the SEC will use this information. And most companies have had unreported breaches since then.”
The requests for information are voluntary, but the fact that the inquiries come from the SEC’s enforcement staff means the companies are forced to oblige. Otherwise, they shall face penalties for ignoring such requests and failing to have the appropriate controls in place to deal with past attacks, four attorneys working with SEC said to Reuters.
A SEC official said the requests intended to find other breaches relevant to the SolarWinds incident.
The SEC told companies they would not be penalized if they voluntarily shared data about the SolarWinds hack, but no such leniency will be shown for past unreported breaches.
In a search for information, the SEC sent letters to hundreds of companies in August 2021. That number exceeds the 100 that the Department of Homeland Security said had downloaded the bad SolarWinds software and then had it exploited.
SolarWinds disclosed the Orion security breach in December 2019. The code allegedly launched by hackers with ties to Russia, impacted numerous U.S. government agencies, business customers and consulting firms.
The frequency of cyberattacks on U.S. corporate and government agencies has led to deep concerns in the White House. The U.S. officials say companies that have not reported such events have managed to conceal the magnitude of the problem and prevented the government from looking for the worst offenders.
Since last year, only about two dozen firms have confirmed some data breach, including Microsoft Corp, Cisco Systems, FireEye Inc, and Intel Corp. Only Cisco revealed to Reuters that it had received the missive from SEC.
Some other major companies that were likely hacking targets, according to cybersecurity research, include software maker Qualys Inc, and oil energy company Chevron Corp. Both declined to comment on the SEC investigation.
About 18,000 clients of SolarWinds downloaded a hacked version of its software, which the cybercriminals accessed. But only a small number of these companies saw any hacking activity or breach in their systems.
The SEC sent an initial letter to all the affected companies in June, followed up by another notice in August.
The current probe is “unprecedented,” said Jina Choi, a partner at Morrison & Foerster LLP and former SEC director who has worked on cybersecurity cases.
“I can’t recall a sweep of this breadth that was not publicly announced, so that folks could really understand what the goal was of the SEC’s investigation,” she said to Reuters.
The SEC issued guidelines for companies that have been affected by hackers almost a decade ago, which have been updated in 2018, but not many companies have reported any major breach events.
Former SEC official Jay Dubow believes that the SEC’s attempts now are more to know the extent of the breach and how it has impacted the associated companies. “The SEC was faced with a situation where you have SolarWinds and so many of their clients were public companies and other government agencies. What is the most efficient way for the SEC to try to figure out the extent of all this?” Dubow said.
Earlier, SEC went soft on the victims of the hacking event, but a new chief at the helm of SEC, Gary Gensler, wants the agency to aggressively pursue the disclosure requirements ranging from cybersecurity to climate risk.
The full impact of the SolarWinds attack that happened nearly nine months ago, has still to be unraveled.
Most companies that were a part of the data breach are reluctant to admit that their sensitive data was breached. However, the hacking is inevitably cited as an example of what can go wrong and how companies need to tighten their security rather than any admission of cyber breach.
John Reed Stark, former head of the SEC’s office of internet enforcement, said “companies will struggle to answer these questions – not just because these are broad, sweeping and all-encompassing requests, but also because the SEC is bound to discover some sort of mistake” in what they’ve previously disclosed.