WASHINGTON (Reuters) – The U.S. Securities and Exchange Commission (SEC) has opened a probe into last year’s SolarWinds cyber breach over whether some companies failed to disclose that they had been affected by the unprecedented hack, an agency official said on Monday.
The SEC sent investigative letters late last week to a small number of public issuers and investment firms seeking voluntary information on whether they had been victims of the hacker and failed to disclose it.
The agency said it was also seeking information on whether public companies that had been a victim had experienced a lapse of internal controls, and related information on insider trading. U.S. securities law requires companies to disclose material information that could affect their share prices.
“We think that the information we’re asking for will help us assess the impact of the breach, and it may also help us identify trading or other securities law violations,” said the official, who spoke under the condition of anonymity for discussing ongoing, confidential agency investigations.
In December, U.S. regulators found that a breach by a foreign actor of SolarWinds’s software gave hackers access to data of thousands of companies and government offices that used its products.
The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack, which compromised nine U.S. federal agencies and hundreds of U.S. private sector companies.
A spokesperson for SolarWinds did not respond immediately to request for comment.
(Reporting by Katanga Johnson; Editing by Steve Orlofsky)