A U.S. Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, Reuters reported Friday, citing six people familiar with the inquiry. From the report: The SEC is asking companies to turn over records into “any other” data breach or ransomware attack since October 2019 if they downloaded a bugged network-management software update from SolarWinds, which delivers products used across corporate America, according to details of the letters shared with Reuters. People familiar with the inquiry say the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign, giving the SEC a rare level of insight into previously unknown incidents that the companies likely never intended to disclose.
“I’ve never seen anything like this,” said a consultant who works with dozens of publicly traded companies that recently received the request. “What companies are concerned about is they don’t know how the SEC will use this information. And most companies have had unreported breaches since then.” The consultant spoke on condition of anonymity to discuss his experience. The requests are voluntary, and companies are obliged to disclose anything material to investors. But the fact the inquiries comes from the SEC’s enforcement staff could raise the prospect of investigations and steep penalties if companies fail to disclose breaches or did not have the appropriate controls in place to deal with past attacks, four attorneys who regularly handle SEC cases said. Further reading: What it was like inside Microsoft during the worst cyberattack in history.