In Its First Settlement With an Issuer for a Disclosure Relating to a Cyber Incident, SEC Imposes $35 Million Fine for Yahoo!’s Failure to Disclose a Cybersecurity Breach
On April 24, 2018, the Securities and Exchange Commission announced that Yahoo! Inc. (now known as Altaba) agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose a significant data breach in which hackers stole personal data relating to hundreds of millions of user accounts. While the SEC has been making clear that it is focused on the adequacy of cyber-related disclosures, this settlement marks the first time that the SEC has brought a case against an issuer for disclosures relating to a cyber incident. While the SEC did not charge any individual company executives (the SEC’s investigation is ongoing), the order does impose a number of non-standard, detailed continuing cooperation obligations on Yahoo!. This settlement follows the Commission’s interpretative guidance in February that addressed the provisions of the federal securities laws that may be implicated by cyber incidents and that should be considered when evaluating a cyber incident, cyber-related risk, and related disclosures.