In the latest sign that the SEC’s Enforcement Division continues to investigate whether public companies are properly disclosing cyber attacks — and whether any insiders have made trades based on material nonpublic information about incidents — it’s come to light that the SEC has now asked at least one law firm to give it the names of clients that were affected by a breach. Understandably, the firm is not planning to voluntarily comply — so the Commission is taking the matter to court.
Last week, the SEC announced a subpoena enforcement action against Covington, looking to get the names of clients that were affected by a cyber attack against the firm in November 2020. Here’s more detail from the SEC’s press release:
Through its subpoena enforcement action, the SEC is seeking only the names of those clients whose files were viewed, copied, modified or exfiltrated by the threat actors. According to the filing, the SEC seeks this information to assist it in identifying any suspicious trading by the threat actors or others in those clients’ securities, and whether such trading was illegal based on material non-public information that the threat actors viewed or exfiltrated as part of the cyberattack.
In addition, the information will assist the SEC in determining whether the impacted clients made all required disclosures to the investing public about any material cybersecurity events in connection with the cyberattack. To date, Covington has refused to provide the names of all but two of the clients, and those two clients consented to providing their names to the SEC.
The SEC is seeking a court order from a D.C. District Court and is also continuing its fact-finding investigation. The Commission acknowledges that to-date, it has not found any violations of securities laws.
Covington’s counsel and other white collar lawyers are saying that if the SEC succeeds with its request, it could have implications for whether attorney-client privilege will hold up in the face of government investigations. A recent Law.com article reinforces why law firms will find this problematic — and says the SEC has a steep hill to climb:
In order to succeed, Rahman said the SEC would have to convince the judge that there’s no other way to get the information to conduct its investigation.
“The SEC has a ton of investigative tools at its disposal,” she said. “Asking a firm for a confidential information should be a last resort and they don’t say they used any other avenues.”
The SEC’s focus on cyber matters carries forward clear priorities from the past two years. In addition to the SEC aiming to adopt “cybersecurity risk governance” disclosure rules in April of this year, the Enforcement Division contacted companies affected by the December 2020 SolarWinds attack in a June 2021 enforcement sweep. The SEC also reorganized and created 20 new Enforcement positions dedicated to crypto and cyber last spring.
— Liz Dunshee, TheCorporateCounsel.net, January 17, 2023