As we noted in our recent piece “What do the SEC’s New Cybersecurity Risk Guidelines Mean for You as a Board Member?”, the Commission is increasingly focused on cyber risk as it pertains to disclosure requirements.
The 2018 guidance addressed one of the criticisms of the original 2011 guidance – namely, that it lacked the teeth of enforceability – and statements by Chairman Clayton and others left little doubt that cyber disclosures were near the top of the SEC agenda. Perhaps it shouldn’t come as a surprise then, that on April 24th the SEC reported a $35 million agreement with Altaba (formerly Yahoo) for a multi-year delay in reporting a 2014 data breach.
This is the first enforcement action of its kind following the new SEC guidance. There is no doubt that a message is being sent to reporting companies with this action. As Jina Choi, Director of the SEC’s San Francisco Regional Office, commented, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” We suspect this will be the first of a number of similar actions, but stress that appropriate and comprehensive cyber disclosure practices are readily achievable.