According to two sources familiar with an SEC investigation, the regulator has opened an investigation into last year’s SolarWinds cyber attack; the probe is focusing on whether failed to disclose that they had been affected by the hack.
Last week, the SEC sent investigative letters to a number of public issuers and investment firms requesting voluntary information on whether they had been victims of the hack and had failed to disclose it, said sources speaking on the condition of anonymity.
The SEC is also seeking information on whether public companies that had been victims had experienced a lapse of internal controls, and related information on insider trading.
The regulator is also looking at the policies of certain companies to assess whether they are designed to protect customer information, said a source.
“Our top priority since learning of this unprecedented attack by a foreign government has been working closely with our customers to understand what occurred and remedy any issues,” said a spokesperson from SolarWinds while adding, the company is “collaborating with government agencies in a transparent way”.
According to U.S. securities law, companies must disclose all material information that could potentially have an impact on their share price, including cyber breaches; however cyber security disclosure are still relatively new enforcement territory for the SEC.
“If the issuers and investment firms respond to the letters by disclosing details about the breaches, they would not be subject to enforcement actions related to historical failures, including internal accounting control failures,” said sources.
Although the letters are focused on the SolarWinds cyber attack, “the SEC may develop future policies on the impact of cyber security issues on the markets and on investors,” said sources.