SEC investigates businesses impacted by large-scale MOVEit cyberattack

April 26, 2024
1 min read

TLDR:

  • The SEC is investigating companies affected by the massive MOVEit cyberattack in May 2023.
  • SEC investigators are sending sweep letters to companies impacted by the hack to gather information.

The Securities and Exchange Commission (SEC) has initiated an investigation into companies that were targeted in the large-scale MOVEit cyberattack that occurred in May 2023. The attack, which affected 2,770 organizations worldwide and compromised the private information of over 94 million individuals, was carried out by the ransomware gang C10p through a vulnerability in Progress Software’s tool, MOVEit.

The SEC has sent sweep letters to numerous companies impacted by the hack, seeking information on the timeline and content of notifications, breach response, ransom demands or payments, cybersecurity governance, and external communications about the cyber incident. The sweep letters are part of an information-gathering process to understand the impact of the hack on the companies and their compliance with SEC regulations.

Legal experts, including Ed McNicholas and Amy Jane Longo from Ropes & Gray, noted that the SEC’s interest in the MOVEit cyberattack is multi-faceted, covering potential violations and enforcement actions. The investigation comes in the backdrop of the SEC’s increasing focus on cybersecurity and protecting investors from cyber threats.

While the sweep letters do not indicate that companies are under investigation, they serve as a means for the SEC to collect information that could lead to enforcement actions or regulatory changes. The SEC’s actions underscore the importance of cybersecurity risk management for companies, including registered investment advisers and broker-dealers, in safeguarding client and customer information.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and