SEC $35M Penalty for Failure to Disclose Data Breach Highlights New Focus on Cybersecurity SEC $35M Penalty for Failure to Disclose Data Breach Highlights New Focus on Cybersecurity

SEC $35M Penalty for Failure to Disclose Data Breach Highlights New Focus on Cybersecurity

The Securities and Exchange Commission (the “SEC” or “Commission”) recently issued updated interpretative guidance (the “Guidance”) stressing the importance of timely, meaningful cybersecurity disclosures by public companies.[1] The SEC emphasized that companies may run afoul of the federal securities laws if they fail to disclose material cybersecurity risks and incidents in registration statements, periodic reports, and/or current reports. The SEC also encouraged companies to maintain comprehensive internal policies and procedures related to cybersecurity risks and incidents. The SEC further reminded companies of applicable insider trading prohibitions and their duty to refrain from making selective disclosures of material nonpublic information about cybersecurity risks and incidents.

The critical importance of this issue was highlighted when the SEC recently imposed a penalty of $35 million against the entity formerly known as Yahoo! Inc. (“Yahoo”)[2] for failing to timely assess and properly disclose a 2014 data breach that compromised hundreds of millions of user accounts.[3] Indeed, the SEC’s enforcement action against Yahoo was the first of its kind against a company based on failure to properly disclose a cybersecurity incident. Given the SEC’s increased focus on this issue, the Guidance offers key insights for companies in assessing cybersecurity-related disclosures.

1.  Importance of Cybersecurity Disclosures

The Guidance explained that cybersecurity disclosures have grown in importance as the frequency and magnitude of cybersecurity incidents has increased. Companies now face a wide range of cybersecurity threats on a daily basis, including stolen access credentials, malware, ransomware, phishing, and other types of attacks from both third parties and malicious insiders. Moreover, cybersecurity incidents often result in substantial costs and other negative consequences for companies, including, among other things: (i) remediation costs, (ii) increased cybersecurity protection costs, (iii) lost revenues from stolen proprietary information and/or customer losses, (iv) increased insurance premiums, (v) reputational damage, and (vi) litigation and legal risks.

In light of the increase in the frequency, magnitude, and cost of cybersecurity incidents, the Guidance explained, it is crucial for public companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”[4] Accordingly, companies should carefully evaluate the materiality of cybersecurity risks and incidents when determining whether disclosures are required in both periodic reports and other public filings.

Critically, companies may be required to promptly disclose material cybersecurity incidents in order to ensure that prior reports or registration statements do not become materially misleading. Therefore, when investigating cybersecurity incidents, companies should be cognizant of the potential need for disclosure.

2.  Internal Policies and Procedures for Cybersecurity

The Guidance further encouraged companies to assess whether they have sufficient disclosure controls and procedures in place to properly process and report relevant cybersecurity risks or incidents. Companies and management must consider whether their controls and procedures will capture relevant information related to cybersecurity risks and incidents required to be disclosed to the Commission in a filing. These procedures should be capable of identifying, assessing, and analyzing cybersecurity risks; evaluating the significance of the risks; and ensuring timely disclosures.

The Guidance further advised companies and their directors, officers, and other corporate insiders to be mindful of insider trading laws in connection with cybersecurity risks and incidents, including vulnerabilities and breaches. Information about a company’s cybersecurity risks and incidents may constitute material nonpublic information, triggering the risk of insider trading. Accordingly, companies should be mindful of this risk when making determinations regarding cybersecurity-related disclosures.

Related to the previous recommendation, the Commission encouraged companies to promote full and fair disclosures via compliance with Regulation FD. This regulation tackles the issue of companies making selective disclosures of material nonpublic information to certain investors prior to making the information known to the general public. The Commission advised companies to not partake in such conduct, as it relates to cybersecurity risks and incidents, and reiterated that the Commission expects companies to have policies and procedures in place to ensure selective disclosures are prohibited.

3.  The Yahoo Settlement

The importance of prompt disclosure is illustrated by the SEC’s settled enforcement action against Yahoo. The SEC charged Yahoo with misleading investors under the federal securities laws by failing to timely disclose the breach. According to the SEC’s settled order, although Yahoo’s information security team learned of the December 2014 data breach within days of the breach, the company did not property investigate the circumstances of the breach, nor did it adequately consider whether disclosure to investors was required. Indeed, the fact of the breach was not disclosed to investors until more than two years had elapsed.

The SEC found that Yahoo, among other things: (i) failed for more than two years to disclose the data breach or its potential impact in quarterly and annual reports, (ii) failed to properly assess the company’s disclosure obligations by sharing information about the breach with auditors and/or outside counsel, and (iii) failed to maintain disclosure controls and procedures designed to ensure that internal reports of data breaches were properly and timely assessed for potential disclosure. Yahoo neither admitted nor denied the SEC’s findings in agreeing to the settled administrative order.

Conclusion

The SEC has sharpened its focus on companies’ obligations to disclose material cybersecurity risks and incidents, and the Yahoo settlement illustrates the risk of failure to properly disclose. In light of the Guidance and the SEC’s attention to this issue, companies should carefully consider and evaluate:

  • The potential materiality of cybersecurity risks and incidents in making required disclosures in registration statements, periodic reports, and current reports;
  • The adequacy of internal policies and procedures in place to ensure cybersecurity risk and incidents are promptly reported internally and evaluated for potential disclosure; and
  • The adequacy of internal policies and procedures for preventing selective disclosures regarding cybersecurity risks and incidents.
For more information, contact Nick MerkerEric McKeownMatt Diaz or another member of our Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


[1] SEC, Commission Statement and Guidance on Public Company Cybersecurity 5-6 (2018) (the “Guidance”), https://www.sec.gov/rules/interp/2018/33-10459.pdf [hereinafter 2018 SEC Guidance.
[2] The SEC enforcement action was against Altaba Inc., formerly doing business as Yahoo! Inc. See Order Instituting Cease-and-Desist Proceedings, In re Altaba Inc., f/d/b/a Yahoo! Inc. (Apr. 24, 2018), https://www.sec.gov/litigation/admin/2018/33-10485.pdf
[3] SEC, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (Apr. 25, 2018), https://www.sec.gov/news/press-release/2018-71
[4] Guidance at 4.

View Full Site View Mobile Optimized