TLDR:
Progress Software reported that the SEC has decided not to take action regarding the MOVEit exploitation incident, after a fact-finding investigation. This decision comes amidst regulatory fallout from other agencies and class action lawsuits.
- SEC declines to pursue action against Progress Software related to MOVEit exploitation
- Investigation stemmed from mass exploitation linked to Clop ransomware gang
Progress Software disclosed that the Securities and Exchange Commission (SEC) will not be recommending any enforcement action against the company following the investigation into the MOVEit file-transfer service vulnerability. The incident led to a widespread exploitation spree connected with the Clop ransomware gang, impacting numerous companies and organizations. The SEC subpoenaed Progress in October for a fact-finding probe into how the company handled the attack.
The decision not to pursue enforcement actions from the SEC is a positive development for Progress Software. However, the company still faces regulatory challenges from the Federal Trade Commission, state attorneys general, and ongoing class action lawsuits related to the incident. This news comes shortly after a federal court dismissed most of the civil charges in an SEC case against SolarWinds regarding cybersecurity oversight.
In recent years, federal agencies have been increasingly holding companies and senior executives accountable for their disclosures about cyber risk. Companies like Blackbaud and Uber have faced settlements and convictions for misleading disclosures related to cyber incidents. The SEC’s decision regarding Progress Software is in line with this trend of increased accountability in the cybersecurity realm.