Clients of SolarWinds, which experienced a high-profile data breach last year, are being targeted in a probe by the U.S. Securities and Exchange Commission, according to a Reuters report.
The investigation is focusing on whether some of the companies doing business with the network management software maker failed to disclose they were affected by the attack, Reuters reported Monday, citing two anonymous sources familiar with the investigation.
Those sources revealed that the SEC sent letters last week to a number of public companies and investment firms asking them to voluntarily acknowledge if they had been victims and failed to disclose it.
“The SEC deciding to investigate a public enterprise breach is pretty significant, considering there could be financial implications from this breach that could affect a company’s future,” Piyush Sharrma, co-founder of Accurics, a cyber resilience company in Pleasanton, Calif. told TechNewsWorld.
“The impact of these large-scale breaches clearly has the potential to destabilize stock prices and the broader stock market, so it makes sense that the SEC would pursue such a line of inquiry,” added Oliver Tavakoli, CTO of Vectra AI, a provider of automated threat management solutions in San Jose, Calif.
As cyberattacks continue to grow in sophistication and cost, it is significant that the SEC is aware of security breaches and is proactively requesting information about them, maintained Bryce Hancock, COO of Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.
“This is important from a disclosure standpoint, as well as raising the awareness of the importance of creating a culture of cybersecurity,” he told TechNewsWorld.
The SEC did not respond to a request for comment for this story.
Question of Reach
James McQuiggan, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla. explained that SolarWinds has thousands of customers, many of them likely publicly traded companies.
“While the SolarWinds breach itself was heavily in the news, it was not well known if the other organizations came forward to report that they were breached,” he told TechNewsWorld.
“However, the SEC requires organizations to have disclosure procedures, as they are required to report any data breaches or cyber incidents,” he continued.
“Ironically, the company may report to the SEC that they experienced a breach,” he added, “but may not disclose it publicly if it did not involve losing any privacy-controlled data, like names or emails.
Brent Johnson, CISO of Bluefin, a data security company in Atlanta, explained that a probe into the SolarWinds breach isn’t entirely unexpected, since the agency has fined companies in the past for failing to disclose data breaches.
“What is different this time around is the breadth of companies impacted by the SolarWinds incident,” he told TechNewsWorld.
“Confusion around whether running affected software versions impacted different companies’ user bases has likely raised a lot of questions around the true reach of the hackers here,” he told TechNewsWorld.
The attack on SolarWinds Orion platform was disclosed in December. The platform is commonly used to manage complex switched and routed network architectures.
Because of the sophistication of the attack, it’s suspected that the operation was backed by a nation-state.
What SolarWinds discovered was that hackers were able to penetrate its software development infrastructure and bolt a malware program, known as Sunburst, into a legitimate software update for Orion.
In March of 2020, the malicious software patch was distributed to SolarWinds’ customers. The patch set up a backdoor to the systems it infected, which gave the hackers a means for stealing data from those systems.
McQuiggan noted that the SEC has required the reporting of data breaches to the agency since February 2018.
“However,” he continued, “with the SolarWinds attack being so prominent in the industry, the SEC may realize that there should be a significantly higher number of organizations that have yet to report if a breach impacted them via the Sunburst exploit.”
“This is not entirely new territory for the SEC, as it has sued companies related to breach disclosure and failure to adopt proper cybersecurity policies at least as far back as a decade ago,” added Tavakoli.
“But,” he told TechNewsWorld, “this push feels more expansive and different than the ad hoc approaches of the past.”
Far Reaching Request
In addition to requesting voluntary disclosures, Reuters reported that the SEC is seeking information from victims of the attack as to whether they experienced a lapse of internal controls, as well as any insider trading data.
Reuters also reported the SEC is looking at some companies’ policies to determine if they’re designed to protect customer information.
“I do find the internal controls piece interesting,” Johnson said. “While a supply chain attack may be difficult to detect from an internal controls perspective, a company’s ability to investigate, respond, and notify once the vulnerability has been detected could be under scrutiny.”
Sharrma maintained that the SEC is trying to understand if state threat actors were involved in the breach. He acknowledged, however, “Enforcing controls and policies could be more complicated because every control may not apply to every enterprise.”
“I think they’re interested in learning, understanding and evaluating the impact of the breach, rather than enforcing security policies,” he added.
Tavakoli called the SEC’s information requests “far reaching.”
“The SEC setting a clearer bar for what constitutes reasonable cybersecurity policies and practices has the potential to clarify corporate responsibility to protect shareholder value,” he said.
“Breaches — and insider knowledge about them — can clearly be used to illegally benefit in trading stocks, something that is squarely within the SEC’s remit,” he added.
He also noted that what action the SEC may take against companies that voluntarily admit they failed to disclose the impact of the SolarWinds breach on their operations appears to be fuzzy.
“It’s unclear from the public reports whether companies which now disclose a breach will not be subject to fines — just that the information they provide to the SEC would not be used as a basis for legal action,” he said.
“And companies may still wish to avoid public disclosure and the inevitable raft of civil lawsuits that would ensue from such disclosure,” he added.