In Corporate Counsel, Ed McNicholas and Amy Jane Longo Discuss the SEC Probe into MOVEit Cyberattack

In The News
April 29, 2024

In an interview for Corporate Counsel, co-head of data, privacy & cybersecurity Ed McNicholas and litigation & enforcement partner Amy Jane Longo discuss the distribution of sweep letters to companies affected by last year’s MOVEit cyberattack. The breach compromised the private information of thousands of organizations, including banks, insurance companies, and hospitals, and an estimated 94 million individuals.

Ed said more downstream victims are still emerging.

“The MOVEit hack itself impacted several large professional services firms such as lawyers and auditors, and this has led to a very complicated situation where fourth parties and fifth parties are learning of it and the SEC is continuing to figure out how to grapple with oversight of the supply chain risk because of its complexity,” Ed said.

Amy said the letters may be used to investigate the circumstances related to the hack and to “look into registrants’ response to the hack in light of any obligations the SEC imposes on the registrants like investment advisers, broker dealers and public companies.” She added they “could be focused on how registrants responded to the hack and compliance with policies and procedures they may have, and whether they were obligated to make disclosures.”

The investigation follows the SEC’s new disclosure rules requiring public companies to report breaches that impact their business within four business days of determining they are material.