On February 21, 2018, the Securities and Exchange Commission (SEC) “voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.”[1] The SEC did not wait long for the public to absorb this guidance. On April 24, 2018, the Securities and Exchange Commission “announced that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”[2] In the space of 2 months, the SEC went from “Companies also may have disclosure obligations” for breaches to paying $35 million for failure to disclose.[3] When the expectations change so quickly, it is important for companies to think strategically not only about where enforcement action has been but where it is going. It is now clear that the SEC is operating in the cyber enforcement space and that they expect fast answers. What, however do they want?
Overview of the “Commission Statement and Guidance on Public Company…
