A letter from the US Securities and Exchange Commission regarding information from companies potentially affected by the SolarWinds Corp. hack last year signals the agency's ongoing interest in adequate disclosure in the cyber risk area and companies should take into account, experts say.
In the letter sent earlier this month, the federal authority said that the disclosure of whether companies had been affected by the attack on the software manufacturer was "voluntary" and said it would offer "amnesty" by not recommending enforcement action against those who make voluntary disclosures. .
However, it warned that it could have consequences for companies that did not respond if a problem was later revealed, according to reports. The SEC had declined to comment.
Experts say that the SEC's action, which reflects a continuation of an SEC policy that began during the Trump administration, should serve as a warning to all companies about the need to be actively involved in dealing with cybersecurity.
USA. Regulators found that a foreign player breached SolarWind's software in December 2020 gave hackers access to data from thousands of companies and authorities that used their products. News of the hack sent SolarWind's share price tumbling, while cybersecurity shares rose.
Companies were given short notice to comply with the SEC's request. The agency gave them until June 24 to say if they would respond and until July 1
The situation indicates "we can expect more scrutiny" of regulatory cyber issues, says Matt McCabe, New York-based senior vice president of Marsh LLC's cyber practice.
The letter "has the air of a sweep to enable the enforcement department to determine the extent of the breach's impact on securities industry issues," said Jacob S. Frenkel, a member of the Dickinson Wright PLLC in Washington and chairman of government investigations and security management, and a former
The letter can have a broad impact because SolarWinds has a long list of customers, so if the SEC believes it was insufficient disclosure after the hack, it could lead to enforcement action, says Toby M. Galloway, shareholder and co-chair, securities litigation and enforcement at Winstead PC in Fort Worth, Texas.
"Ultimately, I believe it will lead to much more transparent disclosures about the impact of the hack and specifically its impact on customer information and data protection," he said.  Observers generally recommend that the recipients of the letter follow the requests
“The lessons are that in the future, if you or your service provider has any of these data breaches, I think you need to make sure that you have considered disclosure and control issues involved as a result, because we clearly know that the SEC is interested in it, says Jay A. Dubow, a partner with Troutman Pepper Hamilton Sanders LLP, who previously served as human resources attorney and branch manager for the SEC's Executive Department.
The SEC follows the same approach as the Trump administration on cyber intelligence, experts say.
"I do not feel that there has been a ramp-up" during the Biden administration, says Mark D. Lytle, a partner with the Nixon Peabody LLP in Washington, who served in the SEC's enforcement department.
William Boeck, senior vice president, US finance lines claims internship manager and global cyber product and claims manager for Lockton Cos. LLC in Kansas City, Missouri, said the response to the letter is more likely to affect board members. and officer liability insurance than cyber insurance.
"Investors can argue that the failure to disclose a cyber incident left an artistically inflated stock," which could be the basis for a shareholder's class action lawsuit, he said. Catalog