According to a Reuters story, clients of SolarWinds, which was the subject of a high-profile data breach last year, are the subject of an investigation by the Securities and Exchange Commission of the United States.
According to Reuters, which cited two unnamed people familiar with the inquiry, the investigation is focused on whether or whether any of the businesses doing business with the network management software manufacturer neglected to declare that they were impacted by the assault.
According to those individuals, the SEC issued letters last week to a number of public businesses and investment organizations, requesting that they voluntarily admit whether they had been victims of identity theft and neglected to report their involvement.
Accurics, a Pleasanton, California-based cyber resilience company founded by Piyush Sharrma, told TechNewsWorld that the SEC’s decision to investigate a public enterprise breach is “pretty significant,” given the possibility that financial consequences from the breach could affect a company’s future.
According to Oliver Tavakoli, chief technology officer of Vectra AI, a provider of automated threat management solutions based in San Jose, Calif., “the impact of these large-scale breaches clearly has the potential to destabilize stock prices and the broader stock market, so it makes sense that the SEC would pursue such a line of inquiry.”
According to Bryce Hancock, CEO of Cerberus Sentinel, a cybersecurity consulting and penetration testing company based in Scottsdale, Arizona, as cyberattacks become more sophisticated and expensive, it is critical that the SEC is aware of security breaches and that it is actively seeking information about them.
In an interview with TechNewsWorld, he said that the revelation was significant because it “raises awareness of the necessity of establishing a culture of cybersecurity.”
The Securities and Exchange Commission did not reply to a request for comment for this article.
What is the question of reach?
As stated by James McQuiggan, a security awareness advocate at KnowBe4, a security awareness training company based in Clearwater, Florida, SolarWinds has thousands of clients — many of which are presumably publicly listed corporations.
“While the SolarWinds hack was widely publicized, it was unclear if any other companies had come forward to disclose that they had also been compromised,” he told TechNewsWorld.
He added, “However, the Securities and Exchange Commission (SEC) requires businesses to have disclosure processes in place since they are obliged to disclose any data breaches or cyber events.”
According to him, “ironically, the business may notify to the SEC that they suffered a breach, but may not disclose it publicly if the breach did not include the loss of any personally identifiable information, such as names or emails.”
In an interview with CNBC, Brent Johnson, chief information security officer of Bluefin, a data security company in Atlanta, explained that the FTC’s investigation into the SolarWinds breach isn’t entirely unexpected, given that the agency has fined companies in the past for failing to report data breaches.
This time, he said to TechNewsWorld, “the range of businesses affected by the SolarWinds issue is different from the last.”
In an interview with TechNewsWorld, he said there was “a lot of confusion” about whether running vulnerable software versions had an effect on various businesses’ user bases. “The real reach of the hackers here has certainly generated a lot of concerns,” he said.
Backdoor with a Sunburst Pattern
The assault on the SolarWinds Orion platform was discovered in December and reported to the authorities. A typical use for the platform is the administration of complicated switching and routed network systems.
Observers believe that a nation-state was involved in this assault because of how sophisticated it was.
What SolarWinds found was that hackers had been able to infiltrate its software development infrastructure and embed a malware application known as Sunburst inside a genuine software update for the Orion system management system.
SolarWinds users received the harmful malware patch in March 2020, which was sent to all SolarWinds customers. The patch installed a backdoor on the computers it infected, providing the hackers with a method of collecting data from those systems once they had been infected.
Since February 2018, according to McQuiggan, the Securities and Exchange Commission has mandated that data breaches be reported to the agency.
He went on to say that since the SolarWinds assault is so well-known in the industry, “the Securities and Exchange Commission (SEC) may recognize that there should be a much larger number of companies that have yet to disclose whether they have been affected by the Sunburst exploit.”
According to Tavakoli, “this is not completely new terrain for the SEC, since it has sued businesses for failing to disclose data breaches and failed to implement appropriate cybersecurity procedures at least a decade ago.”
According to TechNewsWorld, “this effort seems more broad and distinct than the ad hoc methods that have been taken in the past.”
Request with a Broad Scope
Additionally, according to Reuters, the SEC is collecting information from victims of the assault about whether or not they suffered a breach in internal controls, as well as any evidence regarding insider trading activity.
According to Reuters, the SEC is also investigating certain businesses’ rules to see whether or not they are intended to safeguard consumer information.
In terms of internal controls, Johnson remarked, “I find that part fascinating.” The capacity of a business to investigate, react, and inform after a supply chain vulnerability has been identified may be put under examination, even if a supply chain assault is difficult to identify from an internal controls viewpoint.
Sharrma insisted that the SEC is attempting to determine whether or not state-sponsored threat actors were engaged in the hack. He did admit, however, that “enforcing controls and policies may be more complex since every control may not apply to every business,” and that “enforcing controls and policies could be more problematic.”
“I believe they are more concerned with learning about, comprehending, and assessing the effectiveness of the attack than they are with implementing security rules,” he said.
The SEC’s information demands, according to Tavakoli, were “extensive.”
In his words, “The SEC raising the standard for what constitutes acceptable cybersecurity plans and procedures has the ability to clarify corporate responsibilities to safeguard shareholder wealth.”
According to him, “Breaches — and insider information about them — may obviously be utilized to unlawfully profit in stock trading, something that is firmly within the SEC’s purview.”
Also highlighted was the fact that it is unclear what action the SEC would take in response to businesses that voluntarily acknowledge that they did not properly report the effect of the SolarWinds hack on their business operations.
He added that “it’s unclear from public reporting whether businesses that now reveal a breach will not be liable to penalties — simply that the information they give to the SEC will not be utilized as a basis for legal action,” he said.
“Moreover, businesses may still want to prevent public disclosure and the inevitable slew of civil litigation that would follow if such disclosure were to occur,” he said.