SEC Issues First Civil Penalty for Failure of Data Breach Disclosure

On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) announced an update to its cybersecurity guidance that was first introduced in 2011 regarding a public company’s disclosure obligations related to cybersecurity. The updated guidance highlights new rules that a company must follow to ensure that policies and procedures are in place to address breach notification and insider trading. Organizations are required to notify regulators of data breaches within 72 hours and have the general counsel’s office monitor and assess all trades following a data breach or cyber event.

Read more: SEC Approves Cybersecurity Guidance Revision

SEC Issues First Civil Penalty

Since the announcement of the guidance, SEC has placed a greater focus on ensuring organizations follow the guidance and disclose any known cyber incidents. On April 24, 2018, SEC announced its first enforcement action against the public company Altaba, Inc. formerly known as Yahoo!, Inc (Yahoo), for failing to disclose a data breach in 2014. Yahoo failed to disclose to investors that a data breach of 500 million users’ personal information had been compromised, and waited two years to disclose the breach to the public.

The SEC and Yahoo agreed to a $35 million civil penalty; the first of its kind for a data breach.

As noted in this article, Yahoo had violated a number of provisions within the Securities Act of 1933 and the Securities Exchange Act of 1934, and the SEC’s settlement order found the following:

  • Yahoo’s risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the “risk of potential future data breaches” that might expose the company to loss and liability “without disclosing that a massive data breach had in fact already occurred.”;
  • Yahoo’s Management’s Discussion and Analysis of Financial Condition and Results of Operations (“MD&A”) in those reports were materially misleading to the extent it omitted known trends or uncertainties with regard to liquidity or net revenue presented by the breach;
  • Yahoo senior management and legal staff “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading”;
  • Yahoo did not inform its own auditors or outside counsel about the breach so they could assess the company’s disclosure obligations in its public filings; and
  • Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure obligations (SEC Fines Yahoo $35 Million for Failure to Timely Disclose a Cyber Breach).

As Steven Peikin, Co-Director of the SEC Enforcement Division stated in the press release, “We do not second-guess good faith exercises of judgment about cyber-incident disclosure.  But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case”. The Enforcement Division’s Cyber Unit, is a new initiative focused on targeting cyber-related misconduct and threats that poses risks facing investors and the securities industry. They will continue to crack down on public companies who fail to disclose cyber incidents to investors and to the public, and will focus on the following cyber-related misconduct:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information
  • Violations involving distributed ledger technology and initial coin offerings
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts
  • Cyber-related threats to trading platforms and other critical market infrastructure

Important Takeaways for Your Public Company

The SEC’s enforcement action with Yahoo illustrates the importance of having cybersecurity disclosure practices in place at your organization to avoid penalties and to remain transparent with investors and the public. Organizations should ensure they are following the SEC’s rules when reviewing their disclosure controls and procedures to ensure it satisfies the requirement of “recording, processing, summarizing, and reporting the information related to cybersecurity risks and incidents that is required to be disclosed in filings”. The SEC’s enforcement action with Yahoo should be a wake-up call for organizations to evaluate their disclosure controls and procedures and to ensure they are implementing the following best practices:

  • Conduct regular third-party vulnerability and security assessments to assess any emerging cyber threats
  • Evaluate and assess the effectiveness of the disclosure controls and procedures in place to ensure that cybersecurity risks and incidents are timely identified, evaluated, and reported up to senior leadership to determine whether a disclosure is required
  • Educate and train staff on cybersecurity best practices and the importance of securing client information

The data breach landscape continues to evolve at a rapid pace and hackers are becoming more strategic in stealing organization’s information. Now is the time to implement information security programs, controls, and procedures that will protect your organization from a data breach and prevent an incident like Yahoo from occurring.

With the help of our cybersecurity, privacy, and compliance professionals, your organization can ensure its following the steps towards safeguarding information and disclosing cyber incidents appropriately. Have questions about conducting a cybersecurity assessment? Contact us to have all your questions answered today.