Jan 11, 2023

SEC Accuses Top DC Law Firm of Stalling 2020 Cyberattack Probe

Zoe Tillman, Bloomberg News

The Securities and Exchange Commission (SEC) headquarters building stands in Washington, D.C., U.S. on Tuesday, Oct. 1, 2013. Photographer: Joshua Roberts/Bloomberg , Bloomberg

(Bloomberg) -- The Securities and Exchange Commission has accused law firm Covington & Burling of failing to comply with a subpoena for information about a 2020 cyberattack on the firm that potentially exposed client data.

In a new case filed this week in federal court in Washington, the commission said it was investigating whether securities laws were violated after Covington was targeted by a cyberattack in November 2020, in which a foreign actor may have accessed nonpublic information about clients, including 298 regulated companies.

Covington is one of the largest and most prestigious Washington-based multinational law firms, with former Attorney General Eric Holder among its partners and such political clients as President Joe Biden’s 2020 presidential campaign.

The firm has securities and regulatory practices and also has served as legal adviser on some large deals, including Merck & Co.’s $11.5 billion purchase of Acceleron Pharma Inc. in September 2021 and Renesas Electronics Corp.’s $5.9 billion takeover of Apple Inc. supplier Dialog Semiconductor Plc in February 2021.

The commission said it subpoenaed Covington in March 2022 after learning of the breach, and that the law firm had produced some information. However, government lawyers said Covington refused to comply with part of the subpoena asking for information about potentially affected clients, citing “privilege and client confidentiality.”

Covington told the commission that only seven of the 298 clients at issue had “material non-public information,” or MNPI, that the “threat actor” accessed, modified, or took, according to the SEC court filing. The commission hadn’t been able to verify that information and disagreed with the firm’s determination of what was MNPI.

‘Significant Risk’

“As a large law firm with hundreds of public company clients, Covington is regularly in possession of MNPI, the theft of which puts investors at significant risk. Neither Covington’s position as a victim of a cyberattack, nor the fact that it is a law firm, insulate it from the commission’s legitimate investigative responsibilities,” the SEC argued in its filing.

Covington said in a statement it would fight the SEC’s effort to enforce the subpoena in court. The firm said that it had “promptly” turned over information to the commission and cooperated with the Federal Bureau of Investigation, but “we made clear to the SEC that we cannot voluntarily comply with any attempt by the agency to obtain client confidential information, including the identity of affected clients and attorney-client communications.”

“We regard the SEC’s action as an unwarranted attempt to intrude on client confidences and the attorney-client privilege, the protection of which is a fundamental ethical obligation of the legal profession,” the firm said in its statement.

Kevin Rosen of Gibson, Dunn & Crutcher, who is representing Covington, called the case “a blatant fishing expedition” in a separate statement.

The attacks occurred when a series of previously unknown vulnerabilities — called zero days — were exploited in on-premises Microsoft Exchange servers. Microsoft provided patches for the flaws in early March, but ultimately an estimated tens of thousands of global victims were infected with malware.

Ties to China

Those attacks were later attributed to actors — dubbed Hafnium — affiliated with the Chinese government. But as news of the flaws become public, other hacking groups joined in attacking the flaws in Microsoft’s email software.

Covington previously told the SEC that its own investigation found that the breach of its network targeted certain members of the firm in an effort to “to learn about policy issues of specific interest to China in light of the incoming Biden administration,” according to a June 2022 memo from the firm’s lawyers at Gibson Dunn included in the commission’s court papers.

The SEC didn’t identify in its filing specific companies potentially affected by the breach. Its lawyers argued that knowing which public companies had “material” information exposed would empower the agency to use other tools to look for any “suspicious trading” and to make sure those companies made required disclosures to investors and the public.

The agency said that it tried to work with the firm and to narrow the scope of its requests for information, but couldn’t reach an agreement.

Covington’s June memo argued that the commission’s “speculative need” didn’t outweigh the consequences for the firm’s protected attorney-client relationships.

In a statement on Thursday to Bloomberg News, the SEC enforcement head Gurbir Grewal said Covington was the only source of the information and that the agency needed it to help identify hackers, as well as any possible securities law violations. He said that the regulator was seeking a court order to direct the firm “to comply with a single, narrowly tailored request for documents.”

“The request does not seek any information protected by the attorney-client privilege or other sensitive information; rather, it only requests the names of entities regulated by the commission whose data was maliciously and unlawfully breached as part of a cyberattack against Covington,” Grewal added.

The case is Securities and Exchange Commission v. Covington & Burling, 23-mc-00002, US District Court, District of Columbia (Washington).

--With assistance from Andrew Martin, Chris Dolmetsch, Lydia Beyoud and Ben Bain.

(Updates with comment from SEC enforcement head in final two paragraphs.)