According to six people familiar with the matter, the US Securities and Exchange Commission’s investigation of SolarWinds Russia’s hacking operations revealed that dozens of corporate executives feared that the information discovered in the expanded investigation would hold them accountable.
The SEC requires companies to convert their records to “any other” data breach or ransomware attack dating back to October 2019, provided that they downloaded a vulnerable network management software update from SolarWinds, which provides products used by companies in the United States. Letter shared with Reuters.
People familiar with the investigation said that these requests may reveal many unreported cyber incidents unrelated to Russian espionage, giving the SEC a rare understanding of previously unknown incidents that these companies may never intend to disclose.
“I have never seen anything like this,” said a consultant who has worked with dozens of listed companies that have recently received requests. “The company’s concern is that they don’t know how the SEC will use this information. Since then, most companies have had unreported violations.” The consultant spoke on condition of anonymity to discuss his experience .
An SEC official stated that the purpose of the request was to discover other violations related to the SolarWinds incident.
The SEC told the company that if they voluntarily share data about the SolarWinds hack, they will not be punished, but will not provide amnesty for other compromises.
The frequency and impact of cyber attacks are increasing, and they have attracted deep attention from the White House last year. US officials accused the company of failing to disclose such incidents, saying it concealed the severity of the problem from shareholders, policymakers and law enforcement agencies in order to find the most serious offenders.
A person familiar with the US Securities and Exchange Commission’s investigation told Reuters that the letter was sent to hundreds of companies, including many in the technology, finance, and energy industries, which are believed to be likely to be affected by the SolarWinds attack. This number exceeds the 100 that the Department of Homeland Security said that bad SolarWinds software was downloaded and then used.
Since last year, only about 22 companies have been publicly identified as being affected, including Microsoft, Cisco Systems, FireEye and Intel. Of the people contacted for this story, only Cisco confirmed that it had received a letter from the US Securities and Exchange Commission. A Cisco spokesperson said that it has responded to the SEC’s request.
Cyber security research also shows that software manufacturer Qualys and petroleum energy company Chevron Corp are targets of Russian cyber operations. Both declined to comment on the US Securities and Exchange Commission’s investigation.
Approximately 18,000 customers of SolarWinds downloaded a hacker version of its software, which cybercriminals manipulated for future access. However, only a small percentage of customers have seen subsequent hacking activities, which shows that the attackers have infected far more companies than the companies they ultimately suffer.
According to six sources who have read the letters, after the first round of investigations in June, the SEC sent letters to companies believed to be affected last month.
The second wave of requests is for recipients of companies that did not respond in the first round. The exact number of recipients is not yet known.
Jina Choi, a partner at Morrison & Foerster and a former SEC director who handled cybersecurity cases, said that the current investigation is “unprecedented” because the SEC’s objectives lack clarity in such a large-scale investigation.
Although the U.S. Securities and Exchange Commission issued guidelines ten years ago that required companies to disclose potentially important hacking activities, and then updated the guidelines in 2018, most admitted that they were vague.
Gary Gensler, who took the helm at the SEC in April, has instructed the agency to issue new disclosure requirements ranging from cybersecurity to climate risk.
Although Reuters first reported the hacking attack more than nine months ago, the actual impact of its large-scale digital espionage operations from Russian intelligence agencies is still largely unknown by US officials.
Government officials avoided sharing full descriptions of stolen items or content pursued by the Russians, but described them as traditional government espionage.
Many companies have mentioned hacking attacks in SEC documents, but many companies only use these incidents as an example of the kind of intrusion they might encounter one day. Most people who said they installed the SolarWinds software added that they don’t believe their most sensitive data has been stolen.
John Reed Stark, the former head of the SEC’s Internet Enforcement Office, said, “It will be difficult for companies to answer these questions-not only because these requirements are broad, comprehensive, and all-encompassing, but also because the SEC will find Some kind of error” is in their previous disclosures.
© Thomson Reuters 2021