SEC Wants Security Incident Data from Organizations That Used SolarWinds Software
As part of an investigation, the US Securities and Exchange Commission is asking organizations that downloaded SolarWinds software to submit records related to any security incidents dating back to 2019. Some organizations have expressed concern that by submitting previously undisclosed information to the SEC, they are opening themselves to liability.
This is a needed investigation, very little risk to companies that provide information given existing requirements to publicly disclose incidents with material impact.
What we have been missing in cybersecurity is a body similar to the US National Transportation Safety Board (NTSB), which investigates root causes in aviation accidents, to investigate and share the root causes and potential remedial actions in relation to cybersecurity incidents. However, a body that has the potential to sanction a firm over other regulatory issues is not the body to do this.