SEC Reportedly Probing SolarWinds Breach
SEC Reportedly Probing SolarWinds Breach
SolarWinds clients are being investigated by the United States Securities and Exchange Commission following a high-profile data breach last year, according to a Reuters report.
The investigation is focusing on whether certain companies doing business with the network management software maker failed to disclose their exposure to the attack, Reuters reported Monday, citing two anonymous sources familiar with the investigation.
According to those sources, the SEC sent letters last week to a number of public companies and investment firms requesting that they self-disclose whether they were victims and failed to disclose.
"The SEC's decision to investigate a public enterprise breach is quite significant, given the potential financial consequences of the breach on a company's future," Piyush Sharrma, co-founder of Accurics, a Pleasanton, Calif.-based cyber resilience company, told TechNewsWorld.
"Given that the impact of these large-scale breaches has the potential to destabilize stock prices and the broader stock market, it's understandable that the SEC would pursue this line of inquiry," added Oliver Tavakoli, CTO of Vectra AI, a San Jose, Calif.-based provider of automated threat management solutions.
As cyberattacks become more sophisticated and expensive, it is critical that the SEC is aware of security breaches and is proactive in requesting information about them, according to Bryce Hancock, COO of Cerberus Sentinel, a Scottsdale, Arizona-based cybersecurity consulting and penetration testing firm.
"This is critical in terms of disclosure and raising awareness about the critical nature of developing a cybersecurity culture," he told TechNewsWorld.
The Securities and Exchange Commission did not respond to this story's request for comment.
Question of Reach
SolarWinds has thousands of customers, many of which are likely publicly traded companies, according to James McQuiggan, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
"While the SolarWinds breach garnered widespread attention, it was unclear whether other organizations came forward to report being hacked," he told TechNewsWorld.
"However, the SEC requires that organizations have disclosure procedures in place because they are required to report data breaches and cyber incidents," he continued.
"Ironically, a company may report a breach to the SEC but may not disclose it publicly if the breach did not result in the loss of any privacy-sensitive data, such as names or emails," he continued.
Brent Johnson, chief information security officer of Bluefin, an Atlanta-based data security firm, explained that the investigation into the SolarWinds breach is not entirely surprising, given the agency's history of fining companies for failing to disclose data breaches.
"What makes this time different is the breadth of businesses affected by the SolarWinds incident," he told TechNewsWorld.
"Confusion over whether running affected software versions impacted the user bases of different companies has likely raised a lot of questions about the hackers' true reach," he told TechNewsWorld.
Sunburst Backdoor
SolarWinds disclosed the attack on its Orion platform in December. Typically, the platform is used to manage complicated switched and routed network architectures.
Due to the sophistication of the attack, it is suspected that it was carried out with the assistance of a nation-state.
SolarWinds discovered that hackers had breached its software development infrastructure and embedded a malware program called Sunburst into a legitimate Orion software update.
SolarWinds customers received the malicious software patch in March 2020. The patch installed a backdoor on the systems it compromised, providing hackers with a means of stealing data from those systems.
McQuiggan noted that since February 2018, the SEC has required notification of data breaches to the agency.
"However," he continued, "given the SolarWinds attack's prominence in the industry, the SEC may conclude that there should be a significantly greater number of organizations that have yet to report if they were impacted by a breach involving the Sunburst exploit."
"This is not entirely new territory for the SEC, as it has sued companies for failure to disclose breaches and for failing to implement adequate cybersecurity policies at least a decade ago," Tavakoli added.
"However," he told TechNewsWorld, "this push feels more expansive and distinct from previous ad hoc approaches."
Far Reaching Request
Along with voluntary disclosures, Reuters reported that the SEC is seeking information from victims of the attack regarding any lapses in internal controls and any insider trading data.
In addition, Reuters reported that the SEC is examining the policies of several companies to determine whether they are designed to protect customer information.
"I'm intrigued by the internal controls aspect," Johnson stated. "While a supply chain attack may be difficult to detect from an internal controls standpoint, a company's ability to investigate, respond, and notify once a vulnerability is discovered may be questioned."
Sharrma stated that the SEC is attempting to determine whether the breach was caused by state-sponsored threat actors. He did acknowledge, however, that "enforcing controls and policies may be more complicated, as not all controls apply to every enterprise."
"I believe they are more concerned with learning about, comprehending, and evaluating the breach's impact than with enforcing security policies," he added.
Tavakoli characterized the SEC's requests for information as "extensive."
"By raising the bar for what constitutes reasonable cybersecurity policies and practices, the SEC may help clarify corporate responsibility to safeguard shareholder value," he said.
"Breaches — and insider knowledge about them — can clearly be used to benefit illegally from stock trading, which is squarely within the SEC's purview," he added.
Also, he noted that the SEC's ability to take action against companies that voluntarily admit to failing to disclose the impact of the SolarWinds breach on their operations appears to be murky.
"From public reports, it's unclear whether companies that now disclose a breach will avoid fines — only that the information they provide to the SEC will not be used as a basis for legal action," he said.
"And businesses may still wish to avoid public disclosure and the resulting flood of civil lawsuits," he added.
Courses and Certification
Business Analytics Course and Certificate
Business Intelligence Course and Certificate
Case Management Information System Course and Certificate
Internet/Cyber Security Course and Certificate
