On April 24, 2018, the Securities and Exchange Commission announced a settled enforcement proceeding against Altaba Inc. (formerly known as Yahoo! Inc.) arising out of data breaches suffered by Yahoo in 2014, 2015 and 2016. This marks the first action that the Commission has brought based on a disclosure theory related to a cyber incident. The settlement was not unexpected. Yahoo's 2016 disclosure of the breaches was made several years after they occurred, and given the Commission's express focus on cybersecurity—as evidenced by the formation of its new Cyber Unit—both the securities and cyber bars were anticipating some type of resolution. This expectation was reinforced in 2016, when Yahoo itself publicly concluded that it had not sufficiently inquired into and pursued information about the underlying breaches at the time.
Nevertheless, the Yahoo settlement provides important insight into how the Commission views an issuer's responsibility after suffering a cyber incident. Among other things:
- The Commission levied significant criticism on Yahoo's legal department, quoting from the company's 2016 Form 10-K, which stated that the company's “relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.”
- The settlement stated that Yahoo's disclosure controls and procedures were deficient, focusing on insufficient procedures to ensure that cyber events identified within the Chief Information Security Office were appropriately evaluated for potential disclosure. This serves as an important lesson that issuers must establish robust and real-time information flow on data security events, and provides an example of what disclosure controls and procedures should cover, as the Commission reminded issuers in its recent cybersecurity disclosure guidance, discussed here. See Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-10459, 34-82746 (Feb. 26, 2018).
- The Commission found disclosure violations in Yahoo's risk factors—which, post-breach, spoke only of possible breaches, as opposed to known breaches—as well as in its Management Discussion & Analysis. On this latter finding, with very little elaboration, the Commission concluded that Yahoo's MD&A did not address known trends or uncertainties “with regard to liquidity or net revenue presented by any current or future expenses and losses” arising from the breaches, as required by Item 303(a) of Regulation S-K.1
- Finally, the Commission's disclosure findings extended beyond Yahoo's Forms 10-K and 10-Q, sweeping in a representation that Yahoo had made about the absence of security breaches with a “Business Material Adverse Effect” in its sale and purchase agreement with Verizon Communications, Inc. filed as an exhibit to a Form 8-K. The Commission introduced the concept of predicating a disclosure violation on misstatements in a contract filed with the Commission in a 2005 Section 21(a) report of investigation relating to The Titan Corporation. See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on Potential Exchange Act Section 10(b) and Section 14(a) Liability, Exchange Act Release No. 51,283 (Mar. 1, 2005). But, the additional finding was not necessary to the Commission's conclusion that Yahoo's disclosures were inadequate, and suggests that the Commission is looking aggressively to identify situations where it believes it can assert that disclosures are incomplete or inaccurate.
As a result of the deficiencies identified in the settlement, the Commission found that Yahoo violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, and Section 13(a) (and implementing regulations) of the Securities Exchange Act of 1934, and imposed a civil money penalty of $35 million. The settlement does not include any scienter-based fraud charges.
While the Commission did not charge any individuals in this action, the cooperation undertakings required of Yahoo, as well as the express statement in the first footnote that the findings are not binding as to any individual or entity in any other proceeding, suggests that the agency's investigation is continuing.
The resolution of the Commission's investigation of Yahoo's cyber breaches (at least as to the company), coming very close in time to the issuance of the Commission's cybersecurity disclosure guidance, drives home that the Commission is serious about pursuing companies for disclosure and related failures in connection with cyber incidents. And although this type of action most likely only will be brought after a material breach, it is nevertheless a natural extension of the Commission's ongoing emphasis on the importance of this issue, dating back to the 2011 Corporation Finance Staff Guidance on cyber disclosure. See Securities and Exchange Commission Division of Corporate Finance, CF Disclosure Guidance: Topic No. 2: Cybersecurity (Oct. 13, 2011). We expect to see a continued focus by the Commission on cyber-related matters in the disclosure arena—both for registered entities and for issuers.
1 Item 303(a) of Regulation S-K provides, in relevant part, that a registrant shall discuss its financial condition, changes in financial condition and results of operations, including, among other things, identifying “any known trends or any known demands, commitments, events or uncertainties that will result in or that are reasonably likely to result in the registrant's liquidity increasing or decreasing in any material way” and “any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations.” 17 C.F.R. § 229.303(a).