The Securities and Exchange Commission (SEC) has undertaken its first enforcement action in connection with a public company’s failure to timely disclose cyber-issues. Last month, Altaba Inc., the former Yahoo! Inc. (Yahoo!), agreed to pay the SEC $35 million to resolve allegations that it had failed to disclose a 2014 data breach that ultimately affected 3 billion accounts. See In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., Admin. Proc. No. 3-18448 (April 24, 2018).

The SEC alleged that Yahoo!, the Internet’s reigning monarch in the 90s, learned of a significant breach in late 2014. The breach apparently compromised significant user data, including names and passwords. The SEC contended that Yahoo! failed to notify outside auditors of the breach. Nor did Yahoo! evaluate the breach to assess the magnitude of the security problem or determine the need for investor disclosure. Yahoo! did not disclose the breach until September 2016. In the intervening period, Yahoo! continued to file required forms with the SEC from 2014 through September 2016 without noting the breach.

The SEC insisted Yahoo!’s failure to report the breach in its filings and inadequate internal controls violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act. This formed the basis of the $35M settlement penalty. In keeping with standard practice, Yahoo! neither conceded nor denied any wrongdoing. It also agreed to comply with securities reporting laws – and to cooperate with additional investigations. Those additional investigations could implicate other entities or individuals in the future.

The episode contains a number of lessons for publicly traded companies evaluating their reporting response in the wake of a cyber incident.

• The fine underlines the SEC’s expectation that companies promptly disclose cyber-security incidents. The SEC stated that while it would not second-guess good faith judgment regarding disclosure, a sufficiently lackadaisical response would warrant enforcement action.
• Companies should evaluate whether their internal procedures to escalate cybersecurity incidents are appropriate in light of their risk profile. As the SEC noted: “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” The extent of escalation, including the need to involve senior management, external auditors, and outside counsel, is a function of the business impact of the incident. Companies need to institute a process to determine whether an event is likely to materially affect finances or operations.
• Material cyber incidents need to be reported promptly. Even without independent reporting obligations under state or European Union data breach notification laws, the company should err on the side of reporting, since cyber incidents can have significant financial impacts and carry legal risks.
• There is an ongoing duty to rectify previous disclosures should the company determine that previous filings were inaccurate or contained material omissions.

These recommendations are in line with the SEC’s own recent guidance on the subject of public company cybersecurity disclosures. While Yahoo! may be the first company to settle with the SEC for failure to timely disclose a cybersecurity incident, it is not likely to be the last.