The U.S. Securities and Exchange Commission has opened investigations of multiple companies in recent months examining whether they properly handled and disclosed a growing number of cyberattacks.
The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, according to two people familiar with the matter who asked not to be named because the probes aren’t public.
Target Corp., the victim of a breach last year that allowed hackers to access payment data for 40 million of its customers’ debit and credit cards, is one of the companies facing SEC scrutiny, according to company filings.
The prospect of enforcement actions against the targets of cyberattacks marks a new front in the agency’s efforts to combat the rising threat hackers pose to public companies, brokerages and financial markets. Previously, the SEC had focused on guiding public companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers.
“The SEC issues subpoenas when they believe the disclosure is either incomplete or misleading,” said Linda Griggs, a partner at Morgan, Lewis & Bockius LLP who previously worked at the SEC as chief counsel to the agency’s chief accountant. “It’s totally consistent for them to be looking at this kind of thing.”
Public companies are required to disclose to investors events that are material to the share price.
Target said in May that the SEC, Federal Trade Commission and states’ attorneys general are “investigating events related to the data breach, including how it occurred, its consequences and our responses.” As of May 3, the cyberattack has cost Target $52 million, the company said. Target disclosed the breach one day after it was first reported by journalist and security blogger Brian Krebs.
The SEC is also investigating companies’ internal controls in cases where the value of assets could have been affected by a breach, one of the people said.
How much companies should say about breaches has provoked disagreement among corporate attorneys, regulators and some activist investors. While there isn’t an explicit requirement to disclose cyberattacks, public companies are obliged to tell investors about material events that could influence their decision to buy or sell shares. In guidance issued three years ago, the SEC said a cyber-attack could be material if it causes a company to significantly increase what it spends to defend its systems or when intellectual property is stolen.
In a speech last month, SEC Commissioner Luis A. Aguilar urged more public reporting of cyberattacks. Firms “should go beyond the impact on the company” and weigh the effect on others, including customers, he said.
Companies typically prefer to keep breaches secret to avoid lawsuits from people who may have been harmed, according to Douglas Meal, a partner at Ropes & Gray LLP who has worked with Target and others on data-security breaches.
“I really can’t think of a case, and we’ve worked on a lot, where the disclosure thinking or analysis was driven by the securities laws issues, frankly,” Meal told a panel convened by the SEC in March.
Proving that a company should have disclosed more about a cyber-attack is difficult because even if a trade secret is stolen, it may not be critical to a large company’s profit or growth, said Thomas Sporkin, a former SEC enforcement lawyer who is now a partner at BuckleySandler LLP.
“Materiality is very open to interpretation,” Sporkin said.