U.S. District Judge Amit Mehta of the District of Columbia has ruled that Covington & Burling must disclose to the U.S. Securities and Exchange Commission the names of seven clients whose information may have been exposed in a 2020 cyberattack that impacted the firm.

“Covington shall produce to the Commission the names of the seven clients as to whom it has not been able to rule out that a threat actor accessed material nonpublic information,” Mehta wrote in his opinion Monday.