by Michael Borgia and Tyler Bourke
The court’s decision may embolden the SEC and other regulators to subpoena law firms, response vendors, and software providers in cybersecurity investigations
The U.S. District Court for the District of Columbia recently issued its highly anticipated ruling in the subpoena fight between the U.S. Securities and Exchange Commission (“SEC” or “Commission”) and the law firm Covington & Burling LLP (“Covington”). On July 24, 2023, the court in SEC v. Covington[1] ordered the firm to comply in part with an SEC administrative subpoena that had been served on the firm in March of 2022 by providing the names of seven firm clients, the material nonpublic information of which had been compromised in a cyberattack on Covington’s information technology systems in November 2020.