In the past week, you may have received a request for information from the SEC’s Enforcement Division relating to the compromise of software made by SolarWinds Corp. Widely publicized in December 2020, hackers exploited a vulnerability in the software to gain access to the operating systems of several companies. The SEC Staff is now seeking information from companies it believes may have been victims of the SolarWinds compromise.
Yes, the request is actually from the SEC. As an initial matter, the SEC’s request for information is being sent to companies via encrypted email via the SEC’s secured Zix Mail. While the method of communication may raise concerns about phishing, the SEC’s outreach is authentic. If a company has concerns regarding the authenticity of the SEC’s email, it can contact the SEC at Submissions-HO14225@sec.gov or Questions-HO14225@sec.gov.
Responding to the SEC’s request is voluntary. However, a company that provides a response will receive limited amnesty from an enforcement action if the company was a victim of the SolarWinds compromise and failed to make a required disclosure or had associated internal accounting control failures. That’s a big deal. The amnesty covers a company’s officers, directors, and employees. The amnesty does not apply to any other potential misconduct related to the SolarWinds compromise, including – but not limited to – insider trading and Reg FD violations.
The SEC is requesting a two-step response from companies who receive the information request. The SEC is requesting that companies first notify the SEC whether they intend to provide a response. So that’s something that companies need to figure out right away.
Then, the substantive response itself is typically required one week later – that’s a short deadline. The SEC’s request covers the time period after October 1, 2019 and seeks information relating to the versions of SolarWind software used, any unauthorized activity relating to the SolarWinds compromise, and any remedial steps taken in response.
For companies receiving a request from the SEC, of particular concern to many is the SEC’s request for information about compromises other than the SolarWinds compromise (Question No. 5 of the request). Significantly, the SEC’s limited amnesty offer does not apply to other compromises that are reported. Another thing to be aware of is the SEC’s request relating to other compromises seeks information about all compromises, whether or not material.
Companies receiving a Staff request should also consider the following:
- This is part of a broad sweep rather than a focus on companies that the SEC believes may have violated the securities laws.
- Companies may want to voluntarily respond, particularly in light of the SEC’s limited amnesty offer. We expect most companies who were not materially impacted by the Solar Winds compromise will still respond given this amnesty.
- While Question 5 is overbroad and has nothing to do with the SolarWinds compromise, companies should still provide a response. The SEC may consider a failure to respond as suspect and a failure to respond to Question 5 may even void the SEC’s amnesty offer.
- In responding to Question 5, companies should consider a response following the SEC’s guidance on when disclosure of cybersecurity incidents is necessary, based on materiality. While Question 5 seeks information about non-material incidents, a response that tracks the SEC’s disclosure guidance may be a practical and reasonable approach to the question for those companies that may have dozens of immaterial and routine cybersecurity events, which would be difficult to capture and report.
The SEC’s endgame with respect to the SolarWinds Compromise is unclear at this point. The sweep may result in a Section 21(a) report. Section 21(a) reports are not enforcement actions, but the SEC often utilizes such reports to signal an area of emphasis in its enforcement program, with enforcement actions relating to the same subject matter likely to follow. Based on responses the SEC receives to its voluntary request for information, the SEC may discover misconduct that goes beyond the terms of the limited amnesty and bring related enforcement action.
While we are generally advising public companies to respond to the SEC’s request for information relating to the SolarWinds compromise, companies should consider their particular facts and circumstances and frame their responses carefully.