Skadden reported many of its clients receiving an “invitation” from the SEC to voluntarily disclose information about how their company was affected by the SolarWinds cyber attack, and any responsive remedial action the company implemented, to avoid SEC enforcement for the company’s failure to make timely required disclosures or maintain adequate internal controls relating to the hack.
Importantly, companies reportedly must notify the SEC whether they intend to provide the information by June 24 and must provide the information to the SEC by July 1, subject to “extenuating circumstances.” The SEC’s offer is accompanied by cyberattack document preservation requirements and is limited to disclosure and internal control violations.