Hacked Companies Face SEC Scrutiny Over Disclosure

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bloomberg.com/news/2014-07-02/hacked-companies-face-sec-scrutiny-over-disclosure.html

The U.S. Securities and Exchange Commission has opened investigations of
multiple companies in recent months examining whether they properly handled
and disclosed a growing number of cyberattacks.

The investigations are focused on whether the companies adequately guarded
data and informed investors about the impact of breaches, according to two
people familiar with the matter who asked not to be named because the
probes aren’t public.

Target Corp. (TGT), the victim of a breach last year that allowed hackers
to access payment data for 40 million of its customers’ debit and credit
cards, is one of the companies facing SEC scrutiny, according to company
filings.

The prospect of enforcement actions against the targets of cyberattacks
marks a new front in the agency’s efforts to combat the rising threat
hackers pose to public companies, brokerages and financial markets.
Previously, the SEC had focused on guiding public companies on how to
disclose those risks and making sure financial companies have adequate
defenses against hackers.

“The SEC issues subpoenas when they believe the disclosure is either
incomplete or misleading,” said Linda Griggs, a partner at Morgan, Lewis &
Brockius LLP who previously worked at the SEC as chief counsel to the
agency’s chief accountant. “It’s totally consistent for them to be looking
at this kind of thing.”

Public companies are required to disclose to investors events that are
material to the share price.

Disclosed Breach

Target said in May that the SEC, Federal Trade Commission and states’
attorneys general are “investigating events related to the data breach,
including how it occurred, its consequences and our responses.” As of May
3, the cyberattack has cost Target $52 million, the company said. Target
disclosed the breach one day after it was first reported by journalist and
security blogger Brian Krebs.

The SEC is also investigating companies’ internal controls in cases where
the value of assets could have been affected by a breach, one of the people
said.

How much companies should say about breaches has provoked disagreement
among corporate attorneys, regulators and some activist investors. While
there isn’t an explicit requirement to disclose cyberattacks, public
companies are obliged to tell investors about material events that could
influence their decision to buy or sell shares. In guidance issued three
years ago, the SEC said a cyber-attack could be material if it causes a
company to significantly increase what it spends to defend its systems or
when intellectual property is stolen.

Avoid Lawsuits

In a speech last month, SEC Commissioner Luis A. Aguilar urged more public
reporting of cyberattacks. Firms “should go beyond the impact on the
company” and weigh the effect on others, including customers, he said.

Companies typically prefer to keep breaches secret to avoid lawsuits from
people who may have been harmed, according to Douglas Meal, a partner at
Ropes & Gray LLP who has worked with Target and others on data-security
breaches.

“I really can’t think of a case, and we’ve worked on a lot, where the
disclosure thinking or analysis was driven by the securities laws issues,
frankly,” Meal told a panel convened by the SEC in March.

Proving that a company should have disclosed more about a cyber-attack is
difficult because even if a trade secret is stolen, it may not be critical
to a large company’s profit or growth, said Thomas Sporkin, a former SEC
enforcement lawyer who is now a partner at Buckley Sandler LLP.

“Materiality is very open to interpretation,” Sporkin said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!