In our October 2017 column, we wrote about some of the Securities and Exchange Commission’s new cybersecurity initiatives, including the creation of a new Cyber Unit within the SEC’s Enforcement Division. Since then, the SEC has taken steps to demonstrate its increased focus on cybersecurity matters, and specifically on companies’ disclosure obligations relating to cybersecurity risks and incidents. In February 2018, the SEC issued interpretive guidance to assist public companies in drafting their cybersecurity disclosures in SEC filings. The 2018 Guidance, which expanded on the 2011 Cyber Disclosure Guidance issued by the Division of Corporation Finance, provides the SEC’s views about public companies’ disclosure obligations and addresses the importance of maintaining strong cybersecurity policies and procedures.

On the heels of the release of the 2018 Guidance, on April 24, the SEC announced that the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty to settle charges that it misled investors by waiting two years to disclose a data breach in which hackers stole personal data relating to over 500 million user accounts. See Altaba Inc., f/d/b/a Yahoo! Inc., Administrative Proceeding File No. 3-18448 (Apr. 24, 2018) (https://www.sec.gov/litigation/admin/2018/33-10485.pdf) (the Yahoo Order). The settlement marks the first time the SEC has initiated a cyber-disclosure enforcement action against a public company and provides important insight into the SEC’s views on companies’ cybersecurity disclosure obligations.

2014 Data Breach and the Enforcement Order