In February 2018, the Securities and Exchange Commission released its Interpretive Statement and Guidance on Public Company Cybersecurity Disclosures (“Guidance”). This Guidance built upon guidance in 2011 that discussed the need for public companies to provide timely disclosure of significant cybersecurity risks and actual data breaches. The new Guidance, among other things, cautions that an internal investigation cannot be used as an excuse to delay disclosure and that companies may need to update disclosures which were accurate when made but are no longer valid. The new Guidance also discussed the need for companies to maintain comprehensive policies and procedures concerning (1) cybersecurity risks and incidents, and (2) preventing officers and directors from trading in their companies’ securities while in possession of nonpublic knowledge about significant cybersecurity incidents.

More recently, the SEC filed a settled administrative proceeding against the successor to Yahoo! Inc. alleging that Yahoo! had delayed for two years disclosing a massive breach of its user database, which was disclosed only when Yahoo! was selling its operating business to Verizon. In the Matter of Altaba Inc. f/d/b/a Yahoo! Inc., (Administrative Proceeding File No. 3-18448, April 24, 2018).  The enforcement proceeding, which resulted in a $35 million penalty, amplified and illustrated the principles articulated in the February 2018 Guidance.  In light of the Yahoo! action, attorneys, as well as management and boards, would disregard the Guidance, although lacking the force of an actual rule or regulation, at their peril.