- The best Galaxy Z Flip 6 cases of 2024
- This retractable USB-C charger is my new favorite travel accessory (and it's on sale for Black Friday)
- Skip the iPad: This tablet is redefining what a kids tablet can do, and it's 42% off for Black Friday
- Why the iPad Mini 7 is the ultraportable tablet to beat this holiday travel season - and it's $50 off
- The best iPads for college: Expert tested and reviewed
SEC Probes SolarWinds Breach Disclosure Failures
The United States Securities and Exchange Commission (SEC) has launched a probe to determine whether some companies failed to disclose that they had been impacted by the 2020 hacking attack that compromised the SolarWinds Orion software supply chain.
The assault on SolarWinds was discovered and disclosed by researchers at FireEye in December. The advanced persistent threat (APT) group behind the attack was able to compromise nine government agencies, critical infrastructure, and hundreds of private-sector organizations.
Last month, SolarWinds CEO Sudhakar Ramakrishna revealed that the attackers may have accessed the company’s system as early as January 2019. The company has said that as many as 18,000 of its customers were affected by the breach.
The United Kingdom and the US have laid the blame for the hack at the door of Russia’s Foreign Intelligence Service (SVR). Russia has denied any culpability for the attack.
Two people familiar with the SEC investigation told the news source Reuters that letters were sent out last week by the SEC to a number of investment firms and public issuers. In the missives, the Commission asked the entities to voluntarily state whether they had been victimized by the unprecedented SolarWinds hack and kept quiet about it.
The anonymous sources also said that in addition to probing data breach disclosure failures, the SEC is seeking to determine whether the cybersecurity policies at certain companies were designed to protect customer data.
A spokesperson for SolarWinds said in a statement: “Our top priority since learning of this unprecedented attack by a foreign government has been working closely with our customers to understand what occurred and remedy any issues.”
The company added that it is “collaborating with government agencies in a transparent way.”
Under United States securities law, companies are required to disclose material information that could affect their share prices, including data on breaches caused by cybersecurity incidents.
If the entities that receive the SEC’s letters reply by disclosing information about the breaches, they will avoid any enforcement actions linked to internal accounting control failures and historical failures, the sources said.
They added that the SEC was considering creating new policies regarding the effect of cybersecurity issues on investors and markets.