September 14, 2021
A Securities and Exchange Commission investigation into the 2020 Russian cyberattack of SolarWinds has corporate executives concerned over the possibility that information unearthed in the probe will expose them to liability. Companies suspected of or known to have been downloading compromised software updates from SolarWinds have received letters requesting records of all breaches since October 2019, raising fears that sensitive cyber incidents previously unreported and unrelated to SolarWinds may be revealed, providing the SEC with details that many companies may never have wanted to disclose.
This investigation is “unprecedented,” said Morrison & Foerster LLP partner Jina Choi, a former SEC director, as reported by Reuters. “I can’t recall a sweep of this breadth that was not publicly announced, so that folks could really understand what the goal was of the SEC’s investigation.” One source suggested that the SEC is still trying to determine the scope and breadth of the SolarWinds hack.
Discovered late last year, the vast cyber-spying operation was reported at the time to have infiltrated nine U.S. agencies, including Treasury, Homeland Security, Commerce and Defense in a phishing scheme that went undetected for months. Microsoft president Brad Smith at the time called it “the largest and most sophisticated attack the world has ever seen,” in an interview with “60 Minutes.”
Now executives in the technology, trading, finance, energy and security sectors are receiving the letters soliciting investigatory cooperation. All have been potentially affected by the SolarWinds attacks, including more than 100 at the Department of Homeland Security who said the compromised SolarWinds software had been downloaded and surreptitiously exploited.
The initial SolarWinds attack resurfaced in spring after a brief tamp-down, and now it’s triggering a different kind of anxiety. “What companies are concerned about is they don’t know how the SEC will use this information,” said a source who told Reuters he received the request, adding “most companies have had unreported breaches since then.”
Compliance in the SEC probe is voluntary, though participants have a duty to share material information with investors. Gary Gensler, former MIT Sloan School of Management professor confirmed as chair of the SEC in April, already has the agency working on new disclosure requirements on everything from cybersecurity to climate risk. The SEC last updated its cybersecurity guidelines in 2018.
SolarWinds, an Austin, Texas-based supplier of IT software, estimated the original attack affected about 18,000 customers that downloaded an infected version of its Orion network tool, used by an estimated 300,000 clients. But very few of those affected saw obvious signs of hacking activity, leading investigators to believe that far more companies than suspected have ultimately been victimized. Firms identified as casualties to the scheme include Cisco Systems, FireEye, Intel and Microsoft.
The U.S. government hasn’t revealed much about what it knows of the hack other than to call it “traditional espionage.” Russia has denied the attack.