The United States Securities and Exchange Commission (SEC) has launched a probe to determine whether some companies failed to disclose that they had been impacted by the 2020 hacking attack that compromised the SolarWinds Orion software supply chain.
The assault on SolarWinds was discovered and disclosed by researchers at FireEye in December. The advanced persistent threat (APT) group behind the attack was able to compromise nine government agencies, critical infrastructure, and an estimated 100 private-sector organizations.
Last month, SolarWinds CEO Sudhakar Ramakrishna revealed that the attackers may have accessed the company's system as early as January 2019.
The United Kingdom and the US have laid the blame for the hack at the door of Russia's Foreign Intelligence Service (SVR). Russia has denied any culpability for the attack.
Two people familiar with the SEC investigation told the news source Reuters that letters were sent out last week by the SEC to a number of investment firms and public issuers. In the missives, the Commission asked the entities to voluntarily state whether they had been victimized by the unprecedented SolarWinds hack and kept quiet about it.
The anonymous sources also said that in addition to probing data breach disclosure failures, the SEC is seeking to determine whether the cybersecurity policies at certain companies were designed to protect customer data.
A spokesperson for SolarWinds said in a statement: "Our top priority since learning of this unprecedented attack by a foreign government has been working closely with our customers to understand what occurred and remedy any issues."
The company added that it is "collaborating with government agencies in a transparent way."
Under United States securities law, companies are required to disclose material information that could affect their share prices, including data on breaches caused by cybersecurity incidents.
If the entities that receive the SEC's letters reply by disclosing information about the breaches, they will avoid any enforcement actions linked to internal accounting control failures and historical failures, the sources said.
They added that the SEC was considering creating new policies regarding the effect of cybersecurity issues on investors and markets.