In the Matter of Certain Cybersecurity-Related Events (HO-14225) FAQs
June 24, 2021
The staff of the U.S. Securities and Exchange Commission is conducting an investigation regarding a cyberattack involving the compromise of software made by the SolarWinds Corp., which was widely publicized in December 2020 (“SolarWinds Compromise”). As part of this investigation, the staff issued a letter requesting that certain entities provide information to the staff on a voluntary basis (hereinafter, “Letter”). Below are FAQs the staff expects to be helpful to Letter recipients. The FAQs may be updated periodically, and the most recently updated version will be posted on the Division of Enforcement page of www.sec.gov.
- I received a notification from Zix Mail, is it legitimate?
The SEC uses Zix Mail service for sending encrypted messages in connection with its confidential investigations, including this one. When we send an encrypted message via Zix Mail, the recipient receives a notification message from Zix Mail. An authentic notification of a message from Zix Mail will:
- Be sent only from email@example.com
- Direct you to a link starting with “https://web1.zixmail.net”
- Why did recipients receive the Letter?
Based on information in our possession, we believe Letter recipients may have been impacted by the SolarWinds Compromise. We are asking recipients for related information.
- Where did you hear that recipients may have been affected by the breach?
Because our investigations are confidential, we are not in a position to disclose other investigative steps that we have taken to this point.
- Why should recipients participate?
Subject to certain limitations and conditions, the Commission’s Division of Enforcement will not recommend that the Commission pursue enforcement actions against recipients that meet the requirements set out in the Letter that recipients received with the voluntary request for information. Please carefully read the Letter for additional details.
- Can recipients’ self-disclosure of other cybersecurity events not related to the SolarWinds Compromise be eligible for the Division of Enforcement’s recommendation not to pursue an action against it?
As always, entities and individuals may self-report any possible violations of the securities laws to the Commission. However, self-reported conduct outside the scope of conduct involving the SolarWinds Compromise would not be eligible for the terms described in the Letter and would instead be evaluated on a case-by-case basis.
- What steps do recipients have to take to address outstanding disclosure violations in order to qualify for the benefits of the SolarWinds Event Response (as that term is defined in the Letter)?
As described in the Letter, recipients should address any failures to make required disclosures prior to responding in order to be eligible for the benefits described in the Letter. As described in the 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosure, companies are expected to provide disclosures that are tailored to their particular cybersecurity risks and incidents. It is for each recipient to determine what means are sufficient to address any existing disclosure failures.
- Will the Division pursue enforcement actions related to any “Other Compromises” that have been addressed or remediated by a recipient prior to responding to the Letter?
The benefits described in the Letter relate only to the SolarWinds Compromise. As described in the Letter, conduct involving Other Compromises would be considered self-reported conduct outside of the scope of the SolarWinds Event Response and reviewed on a case-by-case basis.
- If a recipient did not install compromised versions of the SolarWinds software, does it need to respond to the other questions in Attachment A?
To the extent a Letter recipient did not install any compromised version of the SolarWinds software, then it would not need to respond to additional Requests beyond Request 1(b). SolarWinds has publicly identified the compromised versions as Orion Platform software version 2020.2 (with no hotfix); Orion Platform software version 2020.2 HF 1; and Orion Platform software version 2019.4 HF 5. If a recipient’s responses to items 1(a) and 1(b) do not include any of those versions of the Orion Platform software, then it does not need to respond to Request Nos. 2-5 of Attachment A.
- Do recipients need to respond to Request No. 5 regarding “Other Compromises” to be eligible for the benefits of the SolarWinds Event Response?
To be eligible for the benefits described in the Letter, recipients that installed any compromised version of the SolarWinds software (see FAQ No. 8, above, for a listing of the compromised software versions) should provide the information requested in Attachment A, including the information in Request No. 5 regarding Other Compromises.
- If a recipient has not installed a compromised version of the SolarWinds software, does it need to preserve documents relating to “Other Compromises”?
To the extent a recipient did not install any compromised version of the SolarWinds software (see FAQ No. 8, above, for a listing of the compromised software versions), it does not need to preserve documents in connection with this investigation as described in the Letter.
- Does Request No. 5 refer to external attacks (as opposed to internal conduct by employees)?
Request No. 5 seeks information relating to external attacks as indicated by the reference to hacks, data breaches and ransomware attacks.
- Does the phrase “one day” used in the definition of “Other Compromises” mean 24 hours (as opposed to unauthorized access spanning two calendar days, but less than 24 hours)?
“One day” as used in the definition of “Other Compromises” refers to an event lasting longer than 24 consecutive hours.
- Does the definition of “Other Compromises” include unauthorized access or hacks that do not result in access to material non-public information or that were financially or operationally immaterial to a recipient’s operations?
“Other Compromises” as used in Request No. 5 refers to unauthorized access by external actors lasting longer than one day, without limitations based on materiality or access to material non-public information. This Request seeks information regarding such unauthorized access by external actors. It does not, for example, seek information about denial of service attacks.
- Are recipients targets of the investigation?
As described in the Letter, this is a confidential fact-finding investigation. We do not identify recipients as subjects, targets, or otherwise. Receipt of this Letter does not mean that we have concluded that the recipient or anyone else has violated the law. The existence of our investigation also does not mean that we have a negative opinion of any person, entity, or security.
- Should recipients retain a lawyer?
We cannot advise recipients whether or not to retain counsel to respond to this request.
- Is this a subpoena?
This is not a subpoena. It is a voluntary request for information and notice requiring preservation of certain documents.
- Should recipients disclose the impact of the SolarWinds Compromise to their investors?
We cannot provide legal advice. Recipients are welcome to consult legal counsel regarding any reporting or disclosure obligations.
- Can we get an extension of time to respond?
The information we request is limited in nature and the staff believes that the deadlines set out in the Letter provide adequate time for a reasonable response. However, if due to extenuating circumstances a recipient is unable to comply with the deadlines set out in the Letter, a request for an extension from the staff may be made by sending an email to Questions-HO14225@sec.gov as follows:
- In the subject line, enter: “Deadline extension request”
- In the body of the message, provide:
- The name of the company listed as the recipient on the request.
- The deadline set out in the request, and
- A detailed description of the reasons why the company believes it is unable to comply with the deadline.
- Attach a copy of the request the company received.
- What can recipients expect if they seek an extension of time?
As described in FAQ No. 18, above, any recipient wishing to request an extension of time to respond may request an extension from the staff by sending an email to Questions-HO14225@sec.gov. We anticipate that a single two week extension of time to the deadlines set forth in the Letter will be granted as a matter of course. To ensure accurate processing of any extension request, please be sure to follow the directions in FAQ No. 18, above.
- What’s the best way to respond to this request?
Please enter the response into the “Attachment A Response Template.xlsx” and return it to Submissions-HO14225@sec.gov using the Zix Mail portal. Please include a copy of the request received, so that we can connect your response to our corresponding request.
- We still have questions, how can we contact you?
You may submit questions to Questions-HO14225@sec.gov. Before you submit any questions to this mailbox, please carefully review the Letter, the request, and these FAQs, which may provide the answers you are seeking.