The U.S. Securities and Exchange Commission has opened investigations of multiple companies in recent months examining whether they properly handled and disclosed a growing number of cyberattacks.
The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, Bloomberg said Monday.
Target Corp.is one of the companies facing SEC scrutiny, according to company filings. It suffered a significant breach last year when hackers reached payment data for 40 million customer debit and credit cards.
Enforcement actions against the targets of cyberattacks would be a new tactic for the SEC. The agency is trying to fight the rising threat hackers pose to public companies and the wider financial markets.
Previously, the SEC has focused on guiding public companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers, Bloomberg said.
Target said in May that the SEC, Federal Trade Commission and states’ attorneys general are investigating the data breach, including the company’s responses. As of May 3, the cyberattack had cost Target $52 million, the company said.
There’s no explicit requirement to disclose cyberattacks. But public companies must tell investors about material events that could influence their decision to buy or sell shares.
In guidance issued three years ago, the SEC said a cyber-attack could be material if it causes a company to significantly increase what it spends to defend its systems or when intellectual property is stolen.
In March, SEC Commissioner Luis A. Aguilar urged more public disclosure of cyberattacks. Firms “should go beyond the impact on the company” and weigh the effect on others, including customers, he said.
Julie DiMauro is the executive editor of FCPA Blog and can be reached here.