Americas, Content

SEC Investigation of SolarWinds Cyberattack: Will MSSPs Get Pulled Into Probe?

What if an SEC probe of the SolarWinds Orion cyberattack unveils unrelated hacker events, ransomware hits and data breaches across multiple companies?

That fear is quietly swirling across some portions of corporate America, according to a Reuters report. Indeed, the U.S. Securities and Exchange Commission is asking companies to turn over records into "any other" data breach or ransomware attack since October 2019 if they downloaded the hacked SolarWinds Orion product, the report says.

Read between the lines, and dozens of corporate executives are fearful that information from the SEC probe could expose them to liability, the report says.

Will MSSPs Be Swept Up In SEC Probe?

The big question mark: Could the probe extend from SolarWinds Orion end-customers to their supply chain partners -- particularly MSPs and MSSPs? The answer to that hypothetical inquiry is unknown so far.

Admittedly, it's unclear just how far the SEC will take the probe. On the one hand, the the requests for information are voluntary, the Reuters report notes. But on the other hand, companies that fail to disclose breaches or did not have the appropriate controls in place to deal with past attacks could face penalties, the report speculates.

In a search for information, the SEC sent letters to hundreds of companies in August 2021, though Reuters does not know the exact number of inquiries that the SEC is making.

SolarWinds disclosed the  Orion security breach in December 2019. The code injection, allegedly launched by hackers with ties to Russia, impacted numerous U.S. government agencies, business customers and consulting firms.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.

You can skip this ad in 5 seconds