The U.S. Securities and Exchange Commission (SEC) has opened an investigation into last year’s SolarWinds hack to determine whether some companies failed to disclose that they had been affected by the breach, Reuters reported, citing people familiar with the investigation.
According to the sources, the SEC sent investigative letters last week to a number of public issuers and investment firms seeking voluntary information on whether they had been victims of the hack and failed to disclose it.
In addition, the agency is seeking information on whether the affected companies had experienced a lapse of internal controls, and related information on insider trading. It also looks at the policies at certain companies to assess whether they are designed to protect customer information, according to Reuters.
U.S. securities law requires companies to disclose material information that could affect their share prices, including cyber breaches.
Companies that have provided details about the breaches would not face enforcement actions related to historical failures, including internal accounting control failures, the sources said.
While the letters are focused on the SolarWinds breach, the SEC may develop future policies on the impact of cyber security issues on the markets and on investors, the sources told Reuters.