On April 24, 2018, the Securities and Exchange Commission announced that Altaba, the company formerly known as Yahoo! Inc., agreed to pay a $35 million penalty as part of a cease-and-desist order to settle charges that it misled investors by failing to disclose a significant data breach in which hackers stole personal data relating to hundreds of millions of Yahoo! accounts in 2014. This was the first fine issued by the SEC based on allegations that investors were misled by a company’s failure to disclose a cyberattack and highlights the SEC’s increasing focus on cybersecurity issues and related disclosure obligations for public companies.
The settlement comes two months after the SEC’s release of guidance to assist public companies in preparing disclosures concerning cybersecurity risks and incidents. The guidance, discussed in a prior client alert, noted that cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws. Registrants were reminded to assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant…
