The Securities and Exchange Commission (SEC) asked a federal court to force Covington & Burling to comply with a subpoena seeking the law firm turn over names of about 300 clients impacted by a 2020 cyberattack.

The SEC announced Jan. 12 it filed an application to the U.S. District Court for the District of Columbia for the court to order Covington to show cause as to why it should not be compelled to comply with the agency’s subpoena, which relates to the Microsoft Hafnium cyberattack.

Microsoft announced in March 2021 some of its programs were vulnerable to hacking and that a China-based group, Hafnium, exploited the weaknesses at government agencies, businesses, and schools globally. On March 16, 2021, the SEC announced it was launching an investigation about the impact of the attack on publicly traded companies.

The agency said it didn’t learn until early 2022 that Covington had been hit by the attack and the data of nearly 300 clients regulated by the SEC was compromised. The SEC was concerned cybercriminals could be using the clients’ credentials to illegally trade, it said.

The SEC issued a subpoena to Covington on March 21, 2022, asking for the names of the clients “whose files were viewed, copied, modified, or exfiltrated by the threat actors,” the agency said.

It also wants the information so it can check whether the clients “made all required disclosures to the investing public about any material cybersecurity events in connection with the cyberattack,” the SEC said.

“The SEC is continuing its fact-finding investigation and, to date, has not concluded that any individual or entity has violated the federal securities laws,” the agency said.

The firm has only handed over the names of two clients who consented to providing their information to the SEC. The firm does not intend to provide any further names, a spokesperson told Compliance Week in an emailed statement.

“We made clear to the SEC that we cannot voluntarily comply with any attempt by the agency to obtain client confidential information, including the identity of affected clients and attorney-client communications,” a Covington spokesperson said. “The firm intends to contest the SEC’s subpoena enforcement action.

Added Kevin Rosen, partner at Gibson Dunn and counsel to Covington, “This broad assault on the attorney-client relationship and confidential client information threatens all clients and their lawyers, and Covington will do everything in its power as the law demands to protect that relationship and those privileged confidences by opposing the SEC’s unwarranted intrusion here.”

Adrianne Appel writes regulatory news, policy, and trends for Compliance Week. She previously reported about policy developments for Bloomberg Law and Bloomberg Government.

Topics