SEC Probing Firms Hit by Massive MOVEit Cyberattack

What You Need to Know

The agency has sent dozens of sweep letters to companies affected by the hack, which affected 2,770 organizations.

Securities and Exchange Commission investigators are sending sweep letters to companies that fell prey to last year’s MOVEit cyberattack, Law.com has learned.

Law.com is published by ALM, ThinkAdvisor’s parent company.

The commission is examining the material impact of the May 2023 hack, which compromised the private information of 2,770 organizations and more than 94 million individuals worldwide, according to a running tally by anti-virus software firm Emisisoft. The victims include banks, insurance companies, hotels, airlines, hospitals and multiple federal agencies.

To pull it off, the ransomware gang C10p exploited a vulnerability in Progress Software’s secure file encryption and transfer tool MOVEit, making off with a trove of social security numbers, birthdates, driver’s license numbers, tax identification numbers and health records.

Ed McNicholas, co-leader of Ropes & Gray’s data, privacy and cybersecurity practice, said more downstream victims are still emerging.

“The MOVEit hack itself impacted several large professional services firms such as lawyers and auditors, and this has led to a very complicated situation where fourth parties and fifth parties are learning of it and the SEC is continuing to figure out how to grapple with oversight of the supply chain risk because of its complexity,” he said.

The letters went to dozens of companies and cover such topics as the timeline and content of notification from Burlington, Massachusetts-based Progress, whether that notice triggered other notices to clients and ransom requests or payments, as well as cybersecurity governance and external communications about cyber incidents.

The SEC’s targeted exams are part of an information-gathering process commonly known as a sweep. Amy Jane Longo, a former SEC trial lawyer and partner in Ropes & Gray’s litigation and enforcement practice, confirmed that the SEC “has issued letters asking for information on a voluntary basis about the impact of the hack.”

The existence of the sweep letters has not been previously reported.

Longo said the letters could have a dual purpose: to investigate the circumstances related to the hack and to “look into registrants’ response to the hack in light of any obligations the SEC imposes on the registrants like investment advisers, broker dealers and public companies.”

She said the latter piece “could be focused on how registrants responded to the hack and compliance with policies and procedures they may have, and whether they were obligated to make disclosures.”

Longo and McNicholas said they were unable to discuss specifics about the letters or reveal which companies received them.

This isn’t the first time the SEC has used this investigative tool in connection with a cyberattack. In 2021, the SEC issued sweep letters as part of its probe into the massive 2020 SolarWinds hack, which was perpetrated by a Russia-backed hacker group Cozy Bear.

The group committed what’s known as a supply-chain attack, injecting malicious code into SolarWinds’ software platform Orion that created a backdoor through which it could access customers’ files undetected. Routine software updates infected with the code allowed the malware to proliferate.

The SEC’s investigation of the hack led the commission in October to bring civil fraud charges against SolarWinds and its chief information security officer, Timothy Brown.

The suit, filed in federal court in New York, accuses SolarWinds and Brown of overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. The company and Brown deny the allegations.