U.S. Securities and Exchange Commission issues requests to companies related to the SolarWinds cyberattack



June 23, 2021

Government Investigations & White Collar Defense Alert

Author(s): Mark D. Lytle, Colin T. Missett

The U.S. Securities and Exchange Commission recently sent requests to companies seeking information about their response to the SolarWinds cyberattack, offering amnesty in exchange for voluntary disclosures. Corporate counsel should verify whether their company has received such an inquiry and consult promptly with experienced outside counsel to assess whether a response is advisable, and if so, to prepare and submit one.

What’s the Impact?

  • Corporate counsel should verify whether their company has received such an inquiry.
  • Experienced outside counsel can help assess whether a response is advisable, and if so, to prepare and submit one.

The staff of the Division of Enforcement of the U.S. Securities and Exchange Commission (the “SEC”) recently sent requests to companies seeking information related to the cyberattack of SolarWinds, which was first publicized in December 2020. According to SolarWinds’s SEC disclosures, hackers inserted a vulnerability within one of its products that was then used as a point of infiltration to the systems of nearly 18,000 SolarWinds customers, including United States government agencies and private and public corporations alike. Due to the clandestine nature of the attack, which went undetected for months, victims may not immediately have known that their systems were breached.

The SEC is offering recipients of the letter—presumably all confirmed victims of the breach—amnesty for any prior failures to make required disclosures or for maintaining adequate internal controls so long as the company discloses both: (i) how the company was impacted by the SolarWinds cyberattack; and (ii) what remedial actions, if any, the company has taken in response. Importantly, the company must inform the SEC whether they intend to provide the requested information by 5:00 p.m., June 24, 2021, and then must provide substantive responses by July 1, 2021. Recipients also were informed that if a company chooses not to make voluntarily disclosures and the SEC later finds that the company did not appropriately disclose or remediate, then the staff may pursue an enforcement action with heightened penalties.

An SEC amnesty program of this nature (and apparent scope) is a relatively rare occurrence and an opportunity that corporate counsel should consider seriously. Given the extremely tight deadlines the SEC has provided for disclosure, company counsel should consult immediately with experienced outside counsel who engages regularly with the staff of the SEC Division of Enforcement to evaluate whether the company should participate in the amnesty program, and if so, how to formulate the company’s response. Counsel also can assist in seeking an extension of these tight deadlines, if necessary.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top