The Securities and Exchange Commission is investigating how companies responded to last year’s SolarWinds Corp. hack, which rippled through computer systems across the U.S. government and corporate America.
The SEC is seeking to determine whether public-company victims made appropriate disclosures to investors, if there was suspicious trading related to the attack and whether private data was compromised, said people with direct knowledge of the matter who asked not to be named because the probe is private.
The SEC sent letters last week to companies that it believes were impacted, asking that they provide details on how their businesses were harmed, the people said. To encourage cooperation, the regulator signaled it wouldn’t penalize firms that share data voluntarily.
An SEC spokesperson declined to comment.
The attackers installed malicious code in updates for popular software from SolarWinds, which was widely used by the government and corporations. In all, nine federal agencies and about 100 companies were infiltrated by the hackers via SolarWinds and other methods. While the motives behind the breach remain unclear, the U.S. blamed Russia and sanctioned dozens of entities and officials in April. For its part, Russia has denied any involvement.
Under U.S. securities laws, public companies must disclose information that’s important enough to be considered material to an investor’s decision to buy or sell a stock -- including cyberattacks. The SEC letter came from, the agency’s enforcement division, which is responsible for investigating and suing firms that violate rules.