Security breaches, such as at Target Corp. (NYSE:TGTC), LinkedIn Corp. (NYSE: LNKD) and more recently Equifax Inc. (NYSE:EFXD) are bad enough when they impact a single company. What about when they impact many companies? Such was the case with the recently revealed 2016 security breach at the Securities and Exchange Commission (SEC).
The break into the SEC’s EDGAR corporate filing system where publicly traded companies store lots of public and private information. Hacking into that information could be a gateway for insider trading at a magnitude that keeps Wall Street up at night.
Taking Its Time
This makes the announcement by SEC chairman, Jay Clayton that the SEC would take “substantial” time to determine the full scope of the 2016 breach, a little puzzling. Democrats in congress have already been asking why it took more than a year for the SEC to realize it had been hacked.
"We understand the breach happened under your predecessor, but the disclosure — or lack thereof — is all yours,” said Sen. Sherrod Brown (Ohio) “How can you expect companies to do the right thing when your agency is not?”
Comparisons With Equifax
Not surprisingly, some have compared the breach at the SEC with the one at Equifax and questioned whether the SEC could provide oversight in an area where it has proven to be vulnerable.
Asked whether Equifax executives should be able to keep their bonuses, Clayton declined to answer but said the SEC may have to take the matter up. He did note that companies should be disclosing more and coming clean when breaches are discovered.
When it was pointed out that three Equifax executives sold nearly $2 million in stock after the company learned of the breach but before it was disclosed publicly and asked, “Is that insider trading?” Clayton declined to weigh in.
Not Many Companies Affected
One source indicated that not many companies are believed to have been affected by the SEC breach. Still, in a statement the SEC said, "the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading."
The statement went on to say, “We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” So, what does it mean? It means that if the hackers were sophisticated enough to buy and sell on the stock exchange, they could have made money illegally by using information gained in the attack that other investors would not have had.
What You Should Expect
Breaches are going to happen. When they do, what should you as an investor expect companies affected to do? There is no specific SEC regulation that requires disclosure of a breach. SEC regulations do require certain information to be disclosed and if failing to report a breach causes that information not to be disclosed, a violation has occurred. In other words, if failure to disclose a breach results in a misleading statement, the rules have been violated.
If a company has publicly said something about its IT systems that was misleading because of a breach, the company has an obligation to correct that statement. This, by the way, is true whether statement was made directly to investors or to a company’s customers. If the information is made to the public and you, as an investor, rely on it, the company may find itself vulnerable to a securities claim.