SEC investigating if companies failed to disclose breaches in SolarWinds hack

The Securities and Exchange Commission is probing whether some U.S. companies failed to disclose that they had been a victim of the massive SolarWinds breach by Russian hackers, according to Reuters.

Why it matters: U.S. securities law requires companies to disclose information, like a cyberattack, that could impact their share prices.

• The SEC sent letters last week to a small number of public issuers and investment firms asking for voluntary information on whether they had been victims of the hack and failed to disclose it, according to Reuters.
• It also sought information on whether public companies that had been attacked had experienced a lapse of internal controls.

While the extent of the SolarWinds breach is still unclear, it's known that hackers compromised networks tied to the Treasury, Defense, Commerce and State departments and several U.S. companies.

• The undefined nature of the breach is largely because it's unknown how long it went undetected or even how it started.

The big picture: Despite U.S. sanctions in response to the breach, the Russian hackers responsible for SolarWinds have launched new waves of cyber campaigns.

• Last month, Microsoft disclosed that it detected a hacking campaign from the group targeting cyberattacks targeting government agencies, think tanks, consultants, and NGOs.

Go deeper: New SEC chairman is changing the regulator's approach