Jared L. Kopel (Courtesy photo)In February 2018, the Securities and Exchange Commission released its Interpretive Statement and Guidance on Public Company Cybersecurity Disclosures (“Guidance”). This Guidance built upon guidance in 2011 that discussed the need for public companies to provide timely disclosure of significant cybersecurity risks and actual data breaches. The new Guidance, among other things, cautions that an internal investigation cannot be used as an excuse to delay disclosure and that companies may need to update disclosures which were accurate when made but are no longer valid. The new Guidance also discussed the need for companies to maintain comprehensive policies and procedures concerning (1) cybersecurity risks and incidents, and (2) preventing officers and directors from trading in their companies’ securities while in possession of nonpublic knowledge about significant cybersecurity incidents.
More recently, the SEC filed a settled administrative proceeding against the successor to Yahoo! Inc. alleging that Yahoo! had delayed for two years disclosing a massive breach of its user database, which was…
