In our October 2017 column, we wrote about some of the Securities and Exchange Commission’s new cybersecurity initiatives, including the creation of a new Cyber Unit within the SEC’s Enforcement Division. Since then, the SEC has taken steps to demonstrate its increased focus on cybersecurity matters, and specifically on companies’ disclosure obligations relating to cybersecurity risks and incidents. In February 2018, the SEC issued interpretive guidance to assist public companies in drafting their cybersecurity disclosures in SEC filings. The 2018 Guidance, which expanded on the 2011 Cyber Disclosure Guidance issued by the Division of Corporation Finance, provides the SEC’s views about public companies’ disclosure obligations and addresses the importance of maintaining strong cybersecurity policies and procedures.
On the heels of the release of the 2018 Guidance, on April 24, the SEC announced that the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty to settle charges that it misled investors by waiting two years to disclose a data breach in which hackers stole personal data relating to over 500 million user accounts. See Altaba Inc., f/d/b/a Yahoo! Inc., Administrative Proceeding File No. 3-18448 (Apr. 24, 2018) (https://www.sec.gov/litigation/admin/2018/33-10485.pdf) (the Yahoo Order). The settlement marks the first time the SEC has initiated a cyber-disclosure enforcement action against a public company and provides important insight into the SEC’s views on companies’ cybersecurity disclosure obligations.
2014 Data Breach and the Enforcement Order
According to the Yahoo Order, in late 2014, Yahoo learned of a massive breach of its user database that resulted in the theft, unauthorized access, and acquisition of hundreds of millions of its users’ data. The personal data in the stolen files included highly sensitive information that Yahoo’s information security team referred to as the company’s “crown jewels”: usernames, email addresses, phone numbers, birth dates, encrypted passwords, and security questions and answers. Within days of the incident, Yahoo’s information security team learned of the breach and informed Yahoo’s senior management and legal department. Despite its contemporaneous knowledge of the incident, Yahoo did not disclose the breach in its public filings until two years later, in a September 2016 press release filed as an attachment to a Form 8-K.
The SEC concluded that Yahoo’s public filings from 2014 through 2016 were materially misleading in that its risk factor disclosures claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information, without disclosing that a massive data breach had already occurred. As Yahoo has acknowledged, although its legal team had “sufficient information to warrant substantial further inquiry in 2014 … they did not sufficiently pursue it.” Yahoo’s senior management and legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how the breach should have been disclosed in public filings or whether the fact that the breach had occurred rendered any statements made by Yahoo in its public filings misleading.
In addition, the SEC found that Yahoo did not share information regarding the breach with the company’s outside auditors or outside counsel to assess the company’s disclosure obligations. Nor did Yahoo maintain disclosure controls and procedures designed to ensure that reports from its information security team were properly and timely assessed to determine how data breaches should be disclosed in Yahoo’s public filings.
The SEC concluded that Yahoo’s failure to disclose the breach violated Sections 17(a)(2) and 17(a)(3) of the Securities Act, and that Yahoo’s failure to maintain disclosure controls and procedures violated Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15. In addition to the $35 million penalty, Yahoo agreed to cease and desist from committing any further violations of these laws and to cooperate fully with the SEC in any investigations, litigations, or other proceedings relating to the data breach.
The SEC’s focus on cybersecurity disclosures reflects its commitment to promoting effective cybersecurity practices. The Yahoo Order emphasized that when a company is aware of a significant breach, merely disclosing the potential risk of a cybersecurity attack may be misleading to investors. Yet, the order should not be read as requiring immediate public disclosure of every data breach. The 2018 Guidance recognized that “a company may require time to discern the implications of a cybersecurity incident,” but cautioned that “an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” As Steven Peikin, co-director of the SEC Enforcement Division, explained, the SEC does not “second-guess good faith exercises of judgment about cybersecurity disclosure. But, we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (https://www.sec.gov/news/press-release/2018-71) (Apr. 24, 2018).
The Yahoo settlement serves as a case study for steps a public company should take to mitigate the risk of a potential SEC cybersecurity investigation. Specifically, the Yahoo Order highlights that companies should evaluate and upgrade their cybersecurity disclosure controls and procedures. As explained in the SEC’s press release announcing the settlement, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” It is critical that companies’ information security personnel collaborate with management and counsel to ensure that thorough controls and procedures are in place so that disclosure decisions can be made in a timely manner.
Finally, it is noteworthy that the SEC’s investigation into Yahoo’s cybersecurity attack is ongoing and that Yahoo has committed to cooperate with the SEC in any related matters. The SEC’s statement in the first footnote of the Yahoo Order that its findings “are not binding on any other person or entity in this or any other proceeding” leaves open the possibility that it may pursue charges against company representatives for Yahoo’s disclosure failures. The SEC may also focus on whether individuals with knowledge of the breach engaged in insider trading. As explained in the 2018 Guidance, company insiders may violate insider trading laws by trading on the basis of material nonpublic information about a company’s cybersecurity risks and incidents, including vulnerabilities and breaches. Based on the SEC’s activities over the past few months, we can expect to see a continued focus on cyber-related matters for both registered entities and issuers.
Margaret A. Dale and Mark D. Harris are partners at Proskauer Rose. Samantha Springer, an associate with the firm, assisted in the preparation of this article.