WASHINGTON, June 21 (Reuters) - The U.S. Securities and
Exchange Commission (SEC) has opened a probe into last year's
SolarWinds cyber breach, focusing on whether some
companies failed to disclose that they had been affected by the
unprecedented hack, two persons familiar with the investigation
said on Monday.
The SEC sent investigative letters late last week to a small
number of public issuers and investment firms seeking voluntary
information on whether they had been victims of the hack and
failed to disclose it, said the persons, speaking under the
condition of anonymity to discuss confidential investigations.
The agency is also seeking information on whether public
companies that had been victims had experienced a lapse of
internal controls, and related information on insider trading.
The agency is also looking at the policies at certain
companies to assess whether they are designed to protect
customer information, one of the people said.
A spokesperson for SolarWinds, which provides a range of IT
software, networks and systems, did not respond immediately to a
request for comment. The SEC's press office declined to comment.
U.S. securities law requires companies to disclose material
information that could affect their share prices, including
cyber breaches, although cyber security disclosure failures are
still relatively new enforcement territory for the SEC.
In December, U.S. regulators found that a breach by a
foreign actor of SolarWinds' software gave hackers access to
data of thousands of companies and government offices that used
its products. News of the hack sent SolarWinds' share price
tumbling, while cyber security stocks rallied.
The United States and Britain have blamed Russia's Foreign
Intelligence Service (SVR), successor to the foreign spying
operations of the KGB, for the hack, which compromised nine U.S.
federal agencies and hundreds of U.S. private sector companies.
If the issuers and investment firms respond to the letters
by disclosing details about the breaches, they would not be
subject to enforcement actions related to historical failures,
including internal accounting control failures, the people said.
While the letters are focused on the SolarWinds breach, the
SEC may develop future policies on the impact of cyber security
issues on the markets and on investors, the people said.
(Reporting by Katanga Johnson; Editing by Steve Orlofsky)