In a settled order issued on April 24, 2018, the Securities and Exchange Commission (SEC) fined Yahoo US$35 million for failing to properly assess and disclose a 2014 data breach that affected more than 500 million user accounts. The case marks the first time the SEC has charged a public company with cybersecurity-related disclosure violations. While the Yahoo case may be an extreme example, it serves as yet another reminder that the SEC remains laser-focused on cybersecurity issues.
Public companies should consider reviewing their procedures to identify and evaluate cybersecurity risks and incidents, and should ensure the people involved in drafting and approving public disclosures have sufficient information to make informed and defensible judgments about cyber disclosure. Based on public statements, the SEC seems unlikely to second-guess good faith cyber disclosure judgments, but non-disclosures accompanied by inadequate, or non-existent, disclosure controls seem likely to draw the agency’s scrutiny. It is, therefore, critical that information security, executives and legal personnel collaborate, learn from each other, and communicate priorities when it comes to cybersecurity risks and incidents. Knowledgeable outside counsel can help ensure the right questions are asked so that well-informed disclosure judgments can be made.