Last month, the Securities and Exchange Commission issued a cybersecurity guidance document that amounted to a detailed warning to public companies to shape up their cyber breach disclosures and advance their cyber risk reporting and management out of the dark ages. Now, the agency is showing just how serious it takes cybersecurity, announcing a $35 million penalty against the former Yahoo! for failing to disclose its massive data breach in 2014, when Russian hackers walked off with the company’s “crown jewels” – personal data for hundreds of millions of users.
The case is the first time the SEC has gone after a company over a data breach. The specific charges in the SEC’s order were devastating: For two years after the breach, Yahoo filed misleading financial reports stating that it only faced “potential” risks from breaches, and it failed to maintain controls to ensure that reports from the infosecurity team made it through to disclosure.
The $35 million penalty puts teeth in the recent SEC guidance that urgently advised companies to be more forthcoming on cyber breach disclosure, and evolve their risk programs to provide a true understanding of the business impact of a wide variety of cyber risks. The guidance calls for publicly traded companies to assess the costs of cyber risks in monetary terms and promptly disclose any risks that rise to the “material” level. The document also moved SEC guidance beyond disclosure requirements, warning public companies that the agency will hold them accountable for their cybersecurity programs.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said Jina Choi, Director of the SEC’s San Francisco Regional Office. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
While the SEC’s statements on cyber risk disclosure are not mandatory, the action they’ve taken here (and are likely to take in another major breach disclosed well after its occurrence ) are a signal to corporate directors, the C-suite and security teams…The SEC recognizes that cyber is indeed one of the biggest business risks in existence today and they intend to hold organizations accountable for the way they manage that risk.