Here’s what directors need to know about what to say and when to say it.
By Edward Normandin and Matthew Repetto
Last April, the Securities and Exchange Commission (SEC) reached a settlement of $35 million with Altaba, Inc. over charges that the company misled investors by failing to disclose a massive 2014 cyber breach.
The settlement against Altaba, formerly known as Yahoo! Inc., came just a few months after the SEC published new guidance on cybersecurity disclosures.
While this SEC enforcement action was the first of its kind, it, along with the release of the 2018 guidance and the increasing frequency of cybersecurity-related comments from the agency, signaled the SEC’s heightened attention to cybersecurity disclosure and the need to properly and promptly disclose breaches.
Such disclosure decisions, however, can be difficult for directors and officers and should be handled carefully in light of the possible business, financial and legal implications.
When a U.S. public company suffers a cybersecurity attack, its directors and officers have a responsibility to ensure that their company takes appropriate steps to investigate, evaluate and remedy the breach. Presently,…