The SEC's Division of Enforcement recently issued voluntary information requests to several public companies, inquiring about the details of any impact arising from the widely publicized December 2020 SolarWinds cyberattack. These requests — sent to several public companies that had used SolarWinds' software, as well as funds, investment advisors, and other entities — were delivered via the SEC's mail service for delivery of encrypted messages in connection with confidential investigations. The requests, identified initially by some companies as spam or phishing emails, now in large part have been confirmed as legitimate.
In most instances, the recipients received a week from the date of delivery to respond, indicating whether the company intends to provide the requested information. If the recipient elects to respond, the company has one week from that date of receipt to substantively respond to the request. In many cases, those deadlines have been as early as June 24, 2021 to indicate those recipients' intent to respond, and July 1, 2021 to submit their substantive responses to the SEC. In addition to responding to the information requests, the SEC also has requested that recipients preserve certain documents related to the SolarWinds cyberattack (or any other potentially related cyberattacks).
Subject to certain limitations outlined in the SEC's communication, the request offers amnesty to its recipients by providing that the SEC will not recommend the bringing of enforcement actions against recipients for failing to make required disclosures to the public or to the SEC related to the SolarWinds cyberattack that were addressed prior to responding to the request, or, in the case of public companies, for related internal accounting control failures. To receive amnesty, the recipient must respond to the request and make certain voluntary disclosures to the SEC regarding how they were impacted by the SolarWinds cyberattack (or any potentially related cyberattacks). If it is discovered in the course of responding to the request that the company may have failed to make a required disclosure or if a public company experienced internal accounting control failures, the Division of Enforcement would not recommend pursuit of an enforcement action. Notably, however, amnesty is unavailable to those companies that received the information requests but were aware of, or otherwise learned of, the SolarWinds cyberattack before September 1, 2020. Amnesty also is unavailable with respect to any other securities violations regarding the SolarWinds cyberattack, including, but not limited to, insider trading, Reg FD violations, and certain violations of Regulation SCI, which remain subject to investigation and a potential separate enforcement action, if applicable.
While responding to the request is voluntary, if a recipient elects not to respond and the SEC later determines that the recipient did not make necessary and timely disclosures to the SEC or to the public concerning the SolarWinds cyberattack, the SEC has indicated that it intends to pursue enforcement actions and recommend charges, where appropriate, against those recipients — including the potential application of heightened sanctions and penalties.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
