Just two months after the issuance of its cybersecurity interpretive release, the U.S. Securities and Exchange Commission (the “SEC”) has announced its first cybersecurity disclosure enforcement action: Altaba Inc. (formerly known as Yahoo! Inc.) (“Yahoo”) has paid a US$35m penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches.
In December 2014, Russian hackers stole personal data – including usernames, passwords and security questions – relating to hundreds of millions of Yahoo user accounts. Although information relating to the breach was reported to the company’s senior management and legal department, the SEC alleged that Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The fact of the breach was not publicly disclosed until 2016, during Verizon, Inc.’s acquisition of Yahoo’s operating business.
According to the SEC’s order, Yahoo filed several quarterly and annual reports during the two-year period following the breach, but failed to disclose the breach or its potential business and legal impact. Instead, its SEC filings only said that Yahoo faced only the risk of, and negative effects that might flow from, data breaches. The SEC also found that Yahoo did not share information regarding the breach with its auditors or outside counsel, and that Yahoo failed to maintain disclosure controls and procedures designed to ensure that cyber breach reports, or the risk of such breaches, were properly and timely assessed for potential disclosure.
The case is a blunt reminder that the SEC is looking very closely at cybersecurity disclosure, but companies should also take note that:
- The Yahoo case involved extreme circumstances: one of the world’s largest ever data breaches, with no disclosure regarding the breach from the company for two years. As described by Steve Peikin, Co-Director of the SEC’s Enforcement Division, Yahoo’s response was clearly “so lacking that an enforcement action [was] warranted.” Ordinarily, however, the SEC does “not second-guess good faith exercises of judgment about cyber-incident disclosure,” Peikin said.
- Immediate disclosure of a material cyber incident is not necessarily required. The SEC’s order does not state or imply that Yahoo should have disclosed the breach immediately, such as on a Form 8-K. As noted in the SEC’s interpretive release, “a company may require time to discern the implications of a cybersecurity incident.” However, the release also cautions that an ongoing internal or external investigation is not on its own a reason to avoid disclosure of an incident.
- Proper disclosure controls and procedures are essential. This is emphasized in the SEC’s interpretive release, and one of the main charges in the Yahoo case is the company’s failure to have controls and procedures in place to assess its cyber disclosure obligations. Yahoo’s senior management and legal teams were made aware of the major breach, but did not inform the company’s auditors or outside counsel.
- Further action against individuals is possible. The SEC’s press release notes that the investigation “is continuing” and the order includes undertakings that the company cooperate fully with “any and all investigations” including securing the continuing cooperation of its current and former directors, officer, employees and agents.
- The SEC is paying attention to representations and warranties made in M&A agreements. Although the SEC’s order mainly focuses on the lack of disclosures regarding the breach in Yahoo’s Forms 10-K and 10-Q, it does take note of Yahoo’s representation to Verizon that it had no knowledge of any material security breaches. These representations, the SEC’s order says, were “made publicly available” when Yahoo attached the stock purchase agreement to a Form 8-K filed with the SEC.
We will continue to monitor developments in this area and welcome any queries you may have. We would be happy to discuss with companies their cybersecurity risks and disclosures in conjunction with our Technology, Media and Telecommunications and Operational Intelligence Groups.