In late June 2021, the acting Head of the Securities and Exchange Commission’s (“SEC”) Division of Enforcement, Melissa Hodgman, reportedly sent letters to a number of public and private companies and investments advisors related to disclosures surrounding the 2020 SolarWinds hack (the “June 2021 Letter”). SolarWinds publically disclosed in December 2020 that attackers had installed malicious code into software updates for one of SolarWinds’ software products. The malicious code had the potential to allow an attacker to compromise the server on which the product ran. In an 8-K filed in December, SolarWinds disclosed its belief that fewer than 18,000 SolarWinds customers had installed versions of the software that contained the malicious code.

The June 2021 letter from Ms. Hodgman states that the SEC is encouraging companies to report to the SEC how they were impacted by the SolarWinds attack and what remedial steps they took in response. If companies do so by July 1, 2021, the SEC will not recommend an enforcement action against the company and its officers, directors, and employees for failure to make required disclosures or internal accounting control failures related to the SolarWinds breach. Notably, companies that knew of the SolarWinds breach prior to September 2020 are not eligible for the amnesty program. If a company that is eligible to participate in the SEC’s amnesty program chooses not to participate, the SEC may seek heightened penalties against them as well as their respective officers, directors, and employees for violations of the securities laws.

Prior SEC guidance, such as the SEC’s guidance from February 21, 2018, stressed the importance of disclosure controls, and addressed the need for insider training prohibitions.[1] The 2018 guidance stressed the requirement that “public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”[2] However, this June 2021 letter might suggest that the SEC’s bar for what requires disclosure may be lower than previously understood.

Companies that have received this request, or who were impacted by SolarWinds, should immediately consider whether they have made the appropriate disclosures and/or have any internal control failures related to the incident. In doing so, companies should consider: 1) what systems were impacted by SolarWinds; 2) whether SolarWinds had an operational impact on the company; and 3) the remedial steps taken. If companies do plan to participate in the amnesty program, they must contact the SEC by June 24, 2021, and notify them of their intention to do so.