SolarWinds breach compels SEC probe
In the continued aftermath of the 2019 SolarWinds breach, new developments see the U.S. Securities and Exchange Commission (SEC) asking hundreds of firms to hand over information dating back to October 2019 that pertains to “any other” breach or ransomware incident in which any SolarWinds network software updates were downloaded. This totaled over 18,000 SolarWinds clients, although only a small number saw breach activity as a result. Unsurprisingly, this has caused some consternation over potential liability for previous undisclosed incidents.
While it is of course required that companies report their data breaches to regulators, the potential hit to their reputation and business still steers some down the path of silence. They judge that the risk of a possible fine upon discovery is preferable to lost business if customers get wind of an incident. Of course, what seems to be overlooked is the fact that when these breaches eventually get exposed, firms will take both hits anyway.
“What companies are concerned about is they don’t know how the SEC will use this information,” says an anonymous consultant, “And most companies have had unreported breaches since then.” If this is indeed the case, says the SEC, no leniency will be shown for unreported breaches. Officials claim that companies hiding breaches makes it more difficult to gauge the full extent of the problem and find culprits effectively.
Other insiders and experts have also voiced their opinions on the new probe. Former SEC director Jina Choi finds it unprecedented, while former official Jay Dubow believes the SEC hopes the investigation will provide more clarity on the full extent of the incident. “What is the most efficient way for the SEC to try to figure out the extent of all this?” he asks.
Seeing an intensified, aggressive push from the agency isn’t that surprising when considered against the background of heightened watchdog scrutiny over data security. Another recent example shows the U.S. Public Interest Research Group’s (PIRG) consumer watchdogs offering guides for consumers affected by the August T-Mobile breach, which hit nearly 55 million Americans.
Ultimately, are agencies like the SEC overreaching, or do their actions fall within the scope of due diligence?