WASHINGTON – The U.S. Securities and Exchange Commission has opened investigations of multiple companies in recent months, examining whether they properly handled and disclosed a growing number of cyberattacks.
The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, according to two people familiar with the matter who asked not to be named because the probes aren’t public.
Target, which was the victim of a breach last year that gave hackers access to payment data for 40 million of its customers’ debit and credit cards, is one of the companies facing SEC scrutiny, according to company filings.
The prospect of enforcement actions against the victims of cyberattacks marks a new front in the federal agency’s efforts to combat the rising threat that hackers pose to public companies, brokerages and financial markets.
Previously, the SEC had focused on guiding public companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers.
The SEC issues subpoenas when they believe the disclosure is either incomplete or misleading, said Linda Griggs, a partner at Morgan, Lewis & Brockius who previously worked at the SEC as chief counsel to the agency’s chief accountant. It’s totally consistent for them to be looking at this kind of thing.
While there isn’t an explicit requirement to disclose cyberattacks, public companies must tell investors about material events that could influence their decision to buy or sell shares.
In guidance issued three years ago, the SEC said a cyber-attack could be material if it causes a company to significantly increase what it spends to defend its systems or when intellectual property is stolen.
Companies typically prefer to keep breaches secret to avoid lawsuits from people who may have been harmed, according to Douglas Meal, a partner at Ropes & Gray who has worked with Target and others on data-security breaches.
I really can’t think of a case, and we’ve worked on a lot, where the disclosure thinking or analysis was driven by the securities laws issues, frankly, Meal told a panel convened by the SEC in March.