The U.S. Securities and Exchange Commission (SEC) launched an investigation into SolarWinds’ supply chain cyberattack, though this time focusing on finding evidence that some of the companies involved had concealed the attack from authorities. A few days ago the SEC began sending investigative letters to some investment firms and public issuers, asking them to voluntarily provide information about how the incident impacted their systems, acknowledging that the SEC believes this attack was concealed by some organizations.
The government agency is also seeking information to confirm or deny whether the affected public companies experienced a lack of internal controls and related information about insider trading. SEC is also analyzing the policies of certain companies in order to evaluate whether their security measures are sufficient to protect the information of their respective users. The SEC press office declined to comment.
If issuers and investment firms respond to letters disclosing details about the violations, they will not be subject to default actions related to these failures, the reports state.
A SolarWinds spokesperson said: “Since we learned of this incident, our top priority has been to work closely with our customers and try to understand as well as possible how this issue arose and find the best ways to prevent subsequent incidents.”
Current U.S. securities legislation requires companies to disclose any material information about any incident of this nature even if it may affect their stock price. It’s worth mentioning that cybersecurity incident reporting is a relatively new territory for the SEC.
In late 2021, regulatory agencies in the U.S. discovered a security incident impacting SolarWinds, allowing threat actors to access sensitive data from thousands of public and private organizations. SolarWinds’ share price plummeted as a result of this incident.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.