On Tuesday, the Securities and Exchange Commission (SEC) applied for an order to show cause why the law firm of Covington & Burling LLP should not be directed to comply with an administrative subpoena issued in connection with an SEC investigation following the breach of Covington client data associated with the Microsoft Hafnium cyberattack.
According to the motion, the SEC wants the names of all 298 SEC-regulated clients who had information accessed as part of the cyberattack and says that Covington has no legitimate basis for withholding it.
The hack, which occurred around November 2020, resulted in malicious, foreign actors gaining unauthorized access to Covington’s computer network and certain individual devices.
In light of the breach, the SEC launched an investigation to determine “whether the malicious activity resulted in violations of the federal securities laws to the detriment of investors.”
As part of ensuing negotiations with the SEC, Covington attempted to identify how many of the 298 public company clients had material non-public information (MNPI) exfiltrated. The law firm concluded that seven impacted client files contained MNPI.
Yet, the SEC says it has been unable to verify that information and disagrees with how Covington determined what constituted MNPI. Covington pushed back on privilege and client confidentiality grounds, prompting the SEC to file the instant application.
In the filing, the SEC first notes that “[a]s a large law firm with hundreds of public company clients, Covington is regularly in possession of MNPI, the theft of which puts investors at significant risk.” The SEC adds that cybersecurity issues have never been more central to its mission to protect investors owing to the increasing number of attacks on public companies, often with the perpetrators seeking to profit at investors’ expense.
Substantively, the agency says that neither its position as a cyberattack victim nor the fact that it is a law firm shields Covington from the SEC’s investigative responsibilities. Further, the motion contends that the subpoena does not infringe on privilege or compliance obligations, does not violate the D.C. Rules of Professional Conduct, and is not unduly burdensome.