SEC Probing Firms Hit by Massive MOVEit Cyberattack

News April 26, 2024 at 11:00 AM
Share & Print

What You Need To Know

  • The agency has sent dozens of sweep letters to companies affected by the hack, which affected 2,770 organizations.
The rear view of a person in a hoodie, working on a computer.

Securities and Exchange Commission investigators are sending sweep letters to companies that fell prey to last year's MOVEit cyberattack, Law.com has learned.

Law.com is published by ALM, ThinkAdvisor's parent company.

The commission is examining the material impact of the May 2023 hack, which compromised the private information of 2,770 organizations and more than 94 million individuals worldwide, according to a running tally by anti-virus software firm Emisisoft. The victims include banks, insurance companies, hotels, airlines, hospitals and multiple federal agencies.

To pull it off, the ransomware gang C10p exploited a vulnerability in Progress Software's secure file encryption and transfer tool MOVEit, making off with a trove of social security numbers, birthdates, driver's license numbers, tax identification numbers and health records.

Ed McNicholas, co-leader of Ropes & Gray's data, privacy and cybersecurity practice, said more downstream victims are still emerging.

"The MOVEit hack itself impacted several large professional services firms such as lawyers and auditors, and this has led to a very complicated situation where fourth parties and fifth parties are learning of it and the SEC is continuing to figure out how to grapple with oversight of the supply chain risk because of its complexity," he said.

The letters went to dozens of companies and cover such topics as the timeline and content of notification from Burlington, Massachusetts-based Progress, whether that notice triggered other notices to clients and ransom requests or payments, as well as cybersecurity governance and external communications about cyber incidents.

The SEC's targeted exams are part of an information-gathering process commonly known as a sweep. Amy Jane Longo, a former SEC trial lawyer and partner in Ropes & Gray's litigation and enforcement practice, confirmed that the SEC "has issued letters asking for information on a voluntary basis about the impact of the hack."

The existence of the sweep letters has not been previously reported.

Longo said the letters could have a dual purpose: to investigate the circumstances related to the hack and to "look into registrants' response to the hack in light of any obligations the SEC imposes on the registrants like investment advisers, broker dealers and public companies."

She said the latter piece "could be focused on how registrants responded to the hack and compliance with policies and procedures they may have, and whether they were obligated to make disclosures."

Longo and McNicholas said they were unable to discuss specifics about the letters or reveal which companies received them.

This isn't the first time the SEC has used this investigative tool in connection with a cyberattack. In 2021, the SEC issued sweep letters as part of its probe into the massive 2020 SolarWinds hack, which was perpetrated by a Russia-backed hacker group Cozy Bear.

The group committed what's known as a supply-chain attack, injecting malicious code into SolarWinds' software platform Orion that created a backdoor through which it could access customers' files undetected. Routine software updates infected with the code allowed the malware to proliferate.

The SEC's investigation of the hack led the commission in October to bring civil fraud charges against SolarWinds and its chief information security officer, Timothy Brown.

The suit, filed in federal court in New York, accuses SolarWinds and Brown of overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. The company and Brown deny the allegations.

"SolarWinds was a nation-state attack focused on espionage, whereas MOVEit, because of the nature of the software, had a much broader impact across sectors," said McNicholas, who represents the former CEO of SolarWinds. "We saw it impact health care, financial services or anyone who wanted to send files securely."

McNicholas said the SEC is examining "the timing of notice of the MOVEit breach and how long it took information to get to particular entities," along with ransom demands and payments.

The SEC, which has not made the sweep or its targets public, did not respond respond to a request for comment from Law.com. A company's receipt of a sweep letter does not signal the firm is under investigation, though the agency could later use information gathered in the sweep to bring enforcement actions, or to support its case for more stringent regulation.

Progress Software disclosed in an August SEC filing that the agency had subpoenaed the company as part of a formal fact-finding inquiry into the breach.

"To the extent that staff is investigating Progress, it's likely casting the letters quite widely to try to develop information of the extent of the impact," Longo said. "My expectation is they are trying to get information very broadly to assess whether there are any potential violations they want to pursue."

The inquiry comes amid the SEC's growing interest in protecting investors from cyberthreats. In July, the agency adopted new disclosure rules requiring companies to report breaches that materially impact their business within four days of making that determination.

Longo said she doesn't think the SEC's sweep letters are directly related to the new rules, because it's "looking mainly at activity before they came into effect."

But "one could imagine that once the new rule has been in place for a longer time, there may be more public information routinely disclosed around cyber incidents that could be responsive," she said.

"The new rules spell out to public companies what disclosures are required in those circumstances, So certainly depending on their analysis of the impact of such an event, they may have to make some kind of disclosure about it. The SEC rule is very proscriptive about these disclosures."

The SEC's interest in the MOVEit hack seems broader, covering both how it affected public companies and RIAs.

The commission proposed new cybersecurity risk management rules for RIAs in 2022, and last year announced plans to amend Regulation S-P to require broker-dealers, investment companies, registered investment advisers and transfer agents "to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm."

SEC Chair Gary Gensler said in a statement a year ago that requiring firms covered under the revised rule to notify customers about breaches will "close the gap" in current regulations around cybersecurity. "I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves," he said.

Longo said the SEC has been transparent and that it believes cybersecurity risk affects every participant in the financial system.

"An incident like the MOVEit hack, because it targeted particularly confidential information, likely raises heightened concerns for the SEC about client and customer information that financial institutions like investment advisers and broker dealers have, and whether the security of such information was affected," she said.

Image: Shutterstock

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center