The Securities and Exchange Commission (SEC) notified Progress Software on Aug. 6 that it does not intend to recommend an enforcement action against Progress for the MOVEit Transfer vulnerability that impacted 95 million people.
Progress went public with the information in an Aug. 7 SEC filing, in which it said the company received a subpoena from the SEC on Oct. 2, 2023 as part of a fact-finding inquiry that sought various documents and information relating to the MOVEit flaw.
The MOVEit bug became big news in late May 2023, when it was reported that MOVEit had been hacked and data was being stolen by the Clop ransomware gang. It was considered a big deal because thousands of governments, financial institutions and other public and private sector organizations around the world use the app.
While any analysis around the SEC’s determination is pure speculation, Callie Guenther, senior manager of threat research at Critical Start, pointed out that Progress Software largely cooperated with the SEC.
Guenther said important factors leading to the SEC’s decision could include the following:
- Timely disclosure: Progress Software may have disclosed the breach and vulnerability promptly, following regulatory requirements and industry best practices.
- Lack of intentional misconduct: There was likely no evidence of fraud, misleading statements, or intentional withholding of information related to the breach.
- Cooperation with authorities: The company may have cooperated fully with investigative authorities, demonstrating good faith efforts to address the incident.
Guenther, an SC Media columnist, added that if companies delay disclosure, offer misleading statements, and are found to be negligent of common cybersecurity best practices, the SEC has been known to issue hefty fines. An example of such action was when the SEC fined Yahoo $35 million for failing to promptly disclose a 2014 data breach that affected hundreds of millions of user accounts.
“In Yahoo's case, the delayed disclosure misled investors about the company's cybersecurity risks and its efforts to protect user data,” said Guenther. “This breach of investor trust and securities law warranted the SEC's intervention. In the MOVEit incident, the absence of such factors likely influenced the SEC's decision to end their probe without enforcement action.”
Morgan Wright, chief security advisor at SentinelOne, said he thought it was the right outcome. First, it was a zero-day exploit: that meant no one knew about it. Wright said it would have been different if Progress Software knew of the vulnerability and didn’t take appropriate action to fix and notify.
“Although it led to a bad outcome, there’s already a mechanism in place to address it — litigation,” said Wright. “Progress Software faces numerous class action lawsuits, so maybe the SEC thought piling on wasn’t necessary. However, there’s little we can glean from the sparse filing. The SEC doesn't say why they concluded their enforcement action, only that they have.”
Wright, an SC Media columnist, pointed out that the other reason enforcement action may not have been appropriate is because it wasn’t trying to solve an institutional issue the way Sarbanes-Oxley (SOX) did with fraud. There are generally three phases used to address conduct: litigation, regulation, and legislation. Wright said with SOX, litigation and regulation didn't work, so legislation was the final option.
“With Progress Software, it may be that these kinds of issues haven’t reached the institutional issue like fraud did, so no need to address it yet,” said Wright. “The simple fact of opening an enforcement action and firing off subpoenas may have served notice on the rest of the industry that these issues could be addressed at some point in the future. For now, litigation is the first step.”
Tom Siu, chief information security officer at Inversion6, also agreed it was the right move by the SEC and it’s possibly an acknowledgement that their enforcement actions may actually hinder rather than help the resolution of the zero-day vulnerabilities in the software industry. Realistically, Siu said a zero-day can happen to any vendor or product, and astute CISOs for these organizations have been tuning response plans to this type of blended supply chain risk.
“With the wave of Form 8-K filings in 2023 and 2024, and overreporting due to unclear SEC thresholds of incident materiality, the industry will likely find a clear equilibrium for SEC reporting,” Siu said. “The compliance risk for SEC enforcement will still exist for public companies, but in general the SEC should take a stance that their regulatory heft should be reserved for egregious violations of basic cybersecurity practices.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, added that the SEC's decision not to recommend enforcement action against Progress Software does not absolve organizations from the critical responsibility of vetting their third-party applications. As modern businesses increasingly rely on complex supply chains and third-party integrations, the potential for security vulnerabilities escalates significantly — a trend that shows no signs of diminishing, said Vishnubhotla.
“The MOVEit Transfer incident…starkly underscores the need for rigorous security assessments both during procurement and when updates are delivered by third parties,” said Vishnubhotla. “This risk is particularly acute for mobile apps, where businesses frequently use off-the-shelf work applications and develop in-house apps incorporating numerous third-party components. Consequently, the supply chain is deeply intertwined with daily business operations.”
