Faulty Cybersecurity Disclosures and a Big Fine

Here is an issue to focus on as we draw to the end of the second quarter and plan our periodic reporting.

Rarely does a month pass without dramatic news stories about cybersecurity breaches.  Targets include large companies such as Equifax, not-for-profits such as hospitals and even government agencies like the SEC.

Earlier this year the SEC augmented their 2011 cybersecurity disclosure guidance in CorpFin Disclosure Topic Twowith a formal Commission Release.  As we blogged,the Release in large part reinforced the Disclosure Topic Two guidance and added guidance about control and insider trading issues.

When the SEC issues new guidance one of the ways they sometimes emphasize its importance is with an enforcement case.  And, that has happened here.  Altaba, Inc, which was formerly Yahoo, has been fined $35 million for failure to make timely and accurate disclosures about their major cybersecurity breach. As you may have read, there was a significant delay in disclosure of the breach on the part of Altaba (Yahoo), and the enforcement release highlights several other disclosure issues surrounding the breach, including the fact that Yahoo’s disclosure controls and procedures were not effective.  Here is a quote from Jina Choi, the San Francisco Regional Office Director:

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.  Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

You can read details here.

As always, your thoughts and comments are welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *