Massive SEC Investigation Into Cyber-Security

This will most certainly affect the likes of faves on this board: $CRWD, $NET, $ZS, $OKTA (and others I’m not following at this moment.)

The new cops at the SEC are taking cyber-security more seriously now that they have been on the job and have looked over first responses in more depth concerning what started with the Solar Wind hack.

One of the new side stories here is the SEC is going after “bad actors” who may have never notified them of prior hacks, not just the Russian Solar Winds hack. To not fess up to prior hacks is a violation of “full disclosure of material information” which should have been shared with investors. Prior hacks’ non-disclosure also setback other companies as it gave hackers more time to infect infrastructure elsewhere.

Another side story is companies which did not respond to earlier requests for this data sought by the SEC in June through August, are now being told to pony up what is being requested, or, face stiff action. Many of these affected companies have legit questions about what would happen with data they might share with the SEC? Who controls it, who secures it?"

This is going to be a growing headline story going forward as it appears there were more hacks than what we were led to believe back when this was breaking news. Let’s hope some of our best IT types on this board will keep us apprised of what they might be seeing in the fields concerning this investigation.

My bet is this will be a bigger tailwind for our cyber-security stocks now that the SEC is joining our intelligence agencies, foreign and domestic, to get a real feel to just how compromised our data in some of our most trusted companies might be. Being fined for lack of proper cyber-security full disclosure is not something you want clients to hear. Who you gonna call to rid your SaaS of any improper snooping by outside operatives? My hope is many of Saul’s best of class cyber-security stocks are perfectly placed to enjoy new 52-Week/All-Time Highs.…

Sept 10 (Reuters) - A U.S. Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, according to six people familiar with the inquiry.

The SEC is asking companies to turn over records into “any other” data breach or ransomware attack dating back to October 2019 if they downloaded a bugged network-management software update from SolarWinds Corp (SWI.N) , which delivers products used across corporate America, according to details of the letters shared with Reuters.

People familiar with the inquiry say the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign, giving the SEC a rare level of insight into previously unknown incidents that the companies likely never intended to disclose.

“I’ve never seen anything like this,” said a consultant who works with dozens of publicly traded companies that recently received the request. “What companies are concerned about is they don’t know how the SEC will use this information. And most companies have had unreported breaches since then.” The consultant spoke on condition of anonymity to discuss his experience.


This is the opening of the United States Government (USG) coming to a better understanding of security incidents. Nothing material right now. Due keep in mind, what to report MATTERS. Let me emphasize you could send SIEM logs to the SEC all day long measured in the Gigabytes. The trouble is quantifying what constitutes a security incident and what level a severity would require a disclosure to the USG. This isn’t settled and being worked on. I’m not talking strictly SEC, but also to DHS, FBI, and basically the USG Intelligence Community.

There’s also a tug-of-ware in reporting ransomware attacks since the company could face OFAC sanctions. Yet, the business decision might be to pay the ransomware to resume business operations sooner and mitigate the damage. There’s no settled law in mandatory compulsion of a company to not pay a ransom.

See more here:…

If the SEC implies a ‘material disclosure’ that would have to face Court settled law in it’s determination. Fertile ground since cyber activity is very much ahead of settled law and existing compliance regulations. Yet, the SEC would have trouble in fully determining what constitutes such a disclosure at present.

~ Bizkikr