The SEC says it will not second-guess good faith judgments about whether, when and how public companies should disclose cybersecurity breaches, but its April 24 announcement of a $35 million settlement with the entity formerly known as Yahoo! Inc. shows that sufficiently egregious disclosure failures will be punished. The settlement stems from Yahoo’s failure to disclose a 2014 hack of hundreds of millions of user accounts until more than two years later.
The SEC’s order stresses that, despite Yahoo’s senior management and legal department learning of the breach within days of the incident, Yahoo did not inform its auditors or outside counsel in order to assess its disclosure obligations. Consequently, during the two years following the breach, Yahoo’s quarterly and annual reports contained only generic disclosures about the risk of being hacked, thereby misleading investors by failing to disclose a material known attack. Jina Choi, Director of the SEC's San Francisco Regional Office, remarked, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.”
According to The Wall Street Journal’s report on the settlement, which comes just two months after the SEC adopted new interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents, Yahoo is the first public company to be penalized by the SEC over its handling of a cybersecurity breach. It is unlikely to be the last.