TheCorporateCounsel.net

With the compliance date kicking in December 18th for the SEC’s new line-item requirement to report material cyber incidents in real-time, it’s worth noting that the complaint that the SEC brought yesterday against SolarWinds and its CISO doesn’t award kudos to the defendants for their eventual decision to report the cyberattack on a Form 8-K. Instead, it doubles down on allegations that those disclosures were misleading:

On December 14, 2020, SolarWinds filed a Form 8-K with the SEC disclosing that its Orion network monitoring software contained malicious code that had been inserted by threat actors as part of a supply-chain attack. The Form 8-K was drafted by a group of executives, including Brown, and signed by SolarWinds’ CEO. That Form 8-K was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period in the incidents involving U.S. Government Agency A, Cybersecurity Firm B, and Cybersecurity Firm C.

Form 8-K disclosure may be the last thing on everyone’s mind when a cyber-attack is discovered, which is why you need to integrate this step into your incident response plan on a clear day. The good news (or the bad news, depending on your perspective), is that since the time of the SolarWinds announcement in 2020, we’ve all had a lot more experience with cyber incidents and companies have become more sophisticated with their Form 8-K disclosures, even in advance of the new requirement. Here are a couple of examples. This Cybersecurity Dive article says that the same bad actors might be behind both of these attacks, and that they’re still at large.

– Liz Dunshee