The US Securities and Exchange Commission is asking tech and telecom companies how they handled the sprawling 2020 SolarWinds cyberattack, and drawing fire from the cybersecurity industry and big business for what they call overreach.

The SEC, which sought the information from a broader swath of victim companies in the wake of the massive hack, has been refining its inquiries, according to people familiar with it, who didn’t identify the companies. The regulator has asked for internal communications about the cyber-assault’s impact, probing for gaps in corporate security and for other cyber incidents, according to the people, who asked not to be named discussing a private matter.

The probe – aimed partly at determining what the companies may have known but didn’t disclose – follows a landmark lawsuit the SEC filed in October against SolarWinds Corp, claiming it failed to maintain adequate controls and defrauded investors by downplaying security risks. SolarWinds is the Texas software firm whose flagship product was used as a Trojan horse in the attack.

The sharpened inquiry into the victim companies themselves comes amid broader pushback against the agency’s regulatory ambitions. Powerful trade and lobbying groups have criticised Gary Gensler’s SEC over its regulation of climate policy, cryptocurrencies, market structure, trade processing and more. The US Chamber of Commerce, which isn’t a party to the SolarWinds suit, nonetheless filed a brief last month asking the court to consider its view – and its view is that the SEC is going too far.