On Dec. 19, 2013, Target Corporation disclosed that approximately 40 million credit and debit card account numbers had been hacked from its system between Nov. 27 and Dec. 15, 2013. Target later announced on Jan. 10, 2014, that the breach also involved a second group of up to 70 million people.1 According to Target’s 10-K filed on March 14, 2014, more than 80 actions were filed against the company as a result of this breach, and $61 million in pretax data breach-related expenses were recorded in the fourth quarter of 2013. The company had $100 million of network-security insurance coverage, above a $10 million deductible, which could reduce its financial exposure. But in addition to the costs of remediation, the potential problems and interruptions from this breach could disrupt or reduce operational efficiency and adversely affect customer confidence.
In addition to the publicity over the Target cyber breach and the subsequent lawsuits against the company, the Securities and Exchange Commission (SEC) had already been under some pressure from Congress to act with regard to cybersecurity. In October 2011, the Division of Corporation Finance issued disclosure guidance on cybersecurity for public companies, but last April, Senator Jay Rockefeller requested the SEC to elevate its guidance on cybersecurity disclosures.2 The flash crash of May 6, 2010, and subsequent serious glitches in the trading markets also heightened the sensitivity of the SEC and others to cybersecurity dangers to securities infrastructure institutions. In the aftermath of these disclosures and some other high-profile cybersecurity breaches, the SEC held a Cybersecurity Roundtable on March 26, 2014.
