SolarWinds hack still spreading fear

Sheila Zabeu -

September 16, 2021

An investigation conducted by the U.S. Securities and Exchange Commission (SEC) into the SolarWinds hack is spreading fear among executives in the country. According to six people familiar with the investigation and heard by Reuters, the fear is that information gathered by the inspection will pave the way to impose liability on companies because of more cases of unreported cyberattacks.

The SolarWinds Orion platform attack gained prominence in the last days of 2020 and was described by some experts as one of the most complex and longest-lasting in history. The attackers managed to infiltrate the Orion update compilation process without leaving any traces, compromising private sector companies, including those in the technology sector, but especially important US government agencies.

A SEC está pedindo às empresas que entreguem registros de “qualquer outra” violação de dados ou ataque de ransomware desde outubro de 2019, caso tenham baixado uma atualização comprometida do software da SolarWinds, de acordo com detalhes das cartas compartilhadas com a Reuters.

The problem is that this information could reveal cyber incidents not reported to the SEC. “I’ve never seen anything like this. What worries companies is not knowing how the SEC will use this information” a consultant who works with dozens of publicly traded companies that recently received the SEC’s request told Reuters on condition of anonymity.

The SEC told companies that they would not be penalized if they shared data about the SolarWinds case voluntarily, but did not offer amnesty for other attacks. The SEC letters were sent to hundreds of companies, including many in the technology, finance, and energy sectors, considered potentially affected by the attack in question.

According to Jina Choi, a partner at Morrison & Foerster and former SEC director who worked on cybersecurity cases, the current investigation is “unprecedented” in terms of a lack of clarity about the purpose of such a broad sweep.

In a Bloomberg story, people with direct knowledge of the matter and who asked not to be identified said the SEC is trying to determine whether publicly traded companies that were victims of the attack gave adequate information to investors, whether there was suspicious trading related to the case and whether sensitive data was compromised. A spokesman for the SEC declined to comment on the investigation.

According to Bloomberg, SolarWinds has told investors that there are numerous investigations stemming from the hack, including those conducted by the SEC, the Justice Department, and prosecutors.

US securities laws mandate that publicly traded companies must disclose information that is relevant to investor decision-making-including reports of cyber attacks. The SEC is responsible for investigating and punishing companies involved in suspicions.

Mandatory reporting

The US Congress is moving to compel companies operating critical infrastructure to report cyberattacks to federal authorities. The move comes after years of an irregular – and voluntary – reporting system and cases like SolarWinds and Colonial Pipeline.

Some lawmakers want banks, oil and gas companies, technology firms, and utility providers, among other organizations, to be required to notify the country’s top cybersecurity agency when they suffer a cyberattack. The bills also require the US government to share information about attacks on federal networks that eventually affect the private sector.

“The voluntary reporting model has clearly reached its limit,” says Ron Bushar, vice president of FireEye Mandiant, a cybersecurity research firm. For him, the mandatory system should specify how and what to report after a cyberattack and to whom to report it in order to help US agencies have uniform information and plan an efficient response.

Bushar was one of five executives representing various sectors who testified in favor of the bill in early September.