In “Companies Scramble To Meet SEC’s SolarWinds Info Deadline,” Law360 turned to SEC and regulatory enforcement defense partner Jim Lundy for insight on concerns related to the Securities and Exchange Commission’s (SEC) request for information regarding how companies may have been affected by the SolarWinds cyber breach revealed in December.
According to the publication, the SEC asked companies to voluntarily provide previously undisclosed information about “any other” cyberattacks since October 2019. The correspondence offered amnesty for companies that come forward with the requested information and warned of enforcement actions and “heightened penalties” for those that do not. Concerns primarily revolve around the short turnaround time to comply, lack of clarity about how to avoid penalties, and requirements to provide additional information.
“Does that mean you need to do some sort of a diligent effort to look at other incidents and whether they qualify pursuant to the terms of the correspondence?” asked Lundy.
Lundy, who is working with clients who received the request, said he and other industry attorneys have reached out to agency staff to obtain clarity, particularly on how the request about other incidents will impact the amnesty offered.
“The amnesty appears to be tailored to the SolarWinds compromise, but then it asked for [additional] information, what they described as ‘other’ compromises,” Lundy said. “It’s unclear if reporting information on the other compromises qualifies for the amnesty. It’s unclear if you need to provide the other information to qualify for the amnesty regarding SolarWinds.”
With the July 1 deadline fast approaching, Lundy advised that companies seek an extension if needed.
“Briefly describe some extenuating circumstances to justify that extension, and then ask for a reasonable period of [additional] time,” Lundy said, noting that “a couple of weeks” might be a feasible extension request.
The full article is available for Law360 subscribers.
Between the time of Lundy's interview and the publication of this article, the SEC released FAQs attempting to respond to certain issues discussed here. Read the SEC’s FAQs to learn more.