June 21, 2021

SolarWinds Cyberattack: SEC Enforcement Contacting Affected Companies…With A Tight Deadline

The Enforcement Division is contacting companies that may have been affected by the December 2020 SolarWinds cyberattack, according to an alert that Brian Breheny, Raquel Fox and others on the Skadden team sent to clients over the weekend. If you get an inquiry, you need to act fast if you want to get “cooperation credit” in exchange for info that you provide. Here’s an excerpt:

In broad strokes, the SEC is offering amnesty to companies who voluntarily disclose (i) how the company was impacted by the SolarWinds cyberattack, and (ii) any remedial actions the company implemented in response, to the extent that those voluntary disclosures show that the company failed to make prior required disclosures or maintain adequate internal controls. Companies must also preserve documents related to the SolarWinds cyberattack, and any other cyberattack since October 2019. Companies who learned of the SolarWinds cyberattack before September 2020 are ineligible for amnesty.

Companies must inform the SEC whether they intend to provide the requested information by June 24, 2021, and provide the information by July 1, 2021, although extensions may be requested for “extenuating circumstances.”

Amnesty will not extend to other securities violations related to the SolarWinds cyberattack (e.g., Reg FD violations, insider trading). If a Company chooses not to participate and the SEC otherwise learns that the company did not appropriately disclose or prevent/remediate the SolarWinds cyberattack, the SEC intends to pursue enforcement actions with heightened penalties.

Although the SEC did not disclose how it selected recipients of the voluntary request, SolarWinds previously disclosed DOJ, SEC and State AG investigations related to the cyberattacks (in addition to civil litigations) so the SEC may have SolarWinds data and documents, including customer lists.

Liz Dunshee