The US Securities and Exchange Commission is asking tech and telecom companies how they handled the sprawling 2020 SolarWinds cyberattack, and drawing fire from the cybersecurity industry and big business for what they call overreach.
The SEC, which sought the information from a broader swath of victim companies in the wake of the massive hack, has been refining its inquiries, according to people familiar with it, who didn’t identify the companies. The regulator has asked for internal communications about the cyber-assault’s impact, probing for gaps in corporate security and for other cyber incidents, according to the people, who asked not to be named discussing a private matter.
The probe – aimed partly at determining what the companies may have known but didn’t disclose – follows a landmark lawsuit the SEC filed in October against SolarWinds Corp, claiming it failed to maintain adequate controls and defrauded investors by downplaying security risks. SolarWinds is the Texas software firm whose flagship product was used as a Trojan horse in the attack.
The sharpened inquiry into the victim companies themselves comes amid broader pushback against the agency’s regulatory ambitions. Powerful trade and lobbying groups have criticised Gary Gensler’s SEC over its regulation of climate policy, cryptocurrencies, market structure, trade processing and more. The US Chamber of Commerce, which isn’t a party to the SolarWinds suit, nonetheless filed a brief last month asking the court to consider its view – and its view is that the SEC is going too far.
‘Power grab’
The agency’s “constant power grab” has left companies in a state of uncertainty, and legal peril, over how to design their internal controls, the Chamber and the Business Roundtable argued in their “friend of the court” brief in federal court in Manhattan. The Business Roundtable counts among its members such heavy hitters as Apple Inc’s Tim Cook, Citigroup Inc’s Jane Fraser and JPMorgan Chase & Co’s Jamie Dimon.
The SolarWinds case is “a watershed moment in the SEC enforcement programme in terms of cybersecurity”, said Jennifer Lee, former assistant director in the SEC’s enforcement division, which is conducting the inquiry, and now a partner at Jenner & Block LLP.
The commission has become “very aggressive” in scrutinising public companies’ disclosures after a data breach “and now, with SolarWinds, is turning its focus to a company’s public statements made before a cybersecurity incident”, said Lee, who predicts the lawsuit could be a sign of future cases.
A spokesperson for the SEC declined to comment.
Legal test
In the historic cyberattack, malicious code was installed in software updates. SolarWinds’ Orion software was one of the products the hackers weaponised to spread digital havoc among nine federal agencies and about 100 companies, including such names as networking gear maker Cisco Systems Inc and cybersecurity firm FireEye Inc, now known as Mandiant Inc. It isn’t clear whether the two are among the companies that have received information requests from the SEC.
Lawyers say the suit may be the first legal test of one of the SEC’s tools: what Congress intended when it required that public companies maintain certain “internal accounting controls” half a century ago to ward off bribery of foreign officials. The business trade groups say the agency has distorted the law by applying it to a corporate victim of cybercrime and effectively dropping “accounting” from the equation.
“The outcome of this litigation will affect every public company,” Nicole Friedlander, a lawyer for the groups, said in a statement. “For the first time, the SEC asserts the power to penalise companies for alleged failures of controls over access to anything a company owns, not limited to balance sheet assets.”
Serrin Turner, a lawyer for SolarWinds, said the case was as “unfounded as it was unprecedented”.
“The business community has called for this case to be dismissed because the SEC is trying to expand cybersecurity disclosure obligations well beyond what the law requires,” he said in a statement.
From the commission’s standpoint, cybersecurity controls are internal accounting controls, because they are meant to protect corporate assets, which the agency says SolarWinds failed to do. SEC’s Enforcement Director Gurbir Grewal said at a conference this month that there is a disconnect between what SolarWinds said publicly and what executives said internally.
‘Swiss Army statute’
In the wake of the assault, the SEC wrote to a wide range of companies it believed were affected, to determine whether they had made appropriate disclosures to investors, if there was suspicious trading related to the cyberassault and whether private data had been compromised.
The letter came from the enforcement division, which is responsible for investigating and punishing companies, but to encourage cooperation the agency signaled it wouldn’t penalise those that shared data voluntarily.
The lawsuit, filed two years later, sparked a furor in the cybersecurity industry, as some argued it could deter future cooperation with the government. Grewal countered that view at the Securities Industry and Financial Markets Association conference.
“No one is asking you to give the blueprint of how hackers got in, where hackers got in,” he said.
The business leaders point to scepticism of the enforcement strategy within the SEC’s own ranks. In 2020 energy company Andeavor agreed to pay US$20mil (RM94.57mil) to resolve claims over stock buybacks. Three years later Charter Communications Inc paid US$25mil (RM118.21mil) in a similar case. Each case drew dissents from two SEC commissioners, who expressed concern about the use of the legal tool.
They called it the “Swiss Army statute”, after the famous multi-purpose knife. – Bloomberg