SEC launches investigations of hacked firms

WASHINGTON — The US Securities and Exchange Commission has opened investigations of multiple companies in recent months examining whether they properly handled and disclosed a growing number of cyberattacks.

The focus is on whether the companies adequately guarded data and informed investors about the breaches, according to two people familiar with the matter who asked not to be named.

Target, the victim of a breach that allowed hackers to access payment data for 40 million customers, is one of the companies facing SEC scrutiny, according to company filings.


The prospect of enforcement actions against the victims of cyberattacks marks a new front in the agency’s efforts to combat the rising threat hackers pose to public companies, brokerages, and financial markets. The SEC had focused on guiding companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers.

Get Talking Points in your inbox:
An afternoon recap of the day’s most important business news, delivered weekdays.
Thank you for signing up! Sign up for more newsletters here

‘‘The SEC issues subpoenas when they believe the disclosure is either incomplete or misleading,’’ said Linda Griggs, a partner at Morgan, Lewis & Brockius who had worked at the SEC as chief counsel to the agency’s chief accountant. ‘‘It’s totally consistent for them to be looking at this kind of thing.’’

Public companies are required to disclose events that are material to the share price.

Target said in May that the SEC, Federal Trade Commission, and states’ attorneys general are ‘‘investigating events related to the data breach, including how it occurred, its consequences, and our responses.’’

As of May 3, the cyberattack has cost Target $52 million, the company said.


The SEC is also investigating companies’ internal controls in cases where the value of assets could have been affected by a breach, one of the people said.

How much companies should say has provoked disagreement among attorneys, regulators, and activist investors. While there is not an explicit requirement to disclose cyberattacks, public companies are obliged to tell investors about material events that could influence their decision to buy or sell shares.

In guidance issued three years ago, the SEC said a cyberattack could be material if it causes a company to significantly increase what it spends to defend its systems.

Last month, SEC Commissioner Luis Aguilar urged more reporting of cyberattacks. Firms ‘‘should go beyond the impact on the company’’ and weigh the effect on others.

Companies typically prefer to keep breaches secret to avoid lawsuits, according to Douglas Meal, at Ropes & Gray.


‘‘I really can’t think of a case, and we’ve worked on a lot, where the disclosure thinking or analysis was driven by the securities laws issues,’’ Meal told a panel in March.