The U.S. Securities and Exchange Commission (SEC) announced on April 24, 2018, that Altaba – the company formerly known as Yahoo! Inc. – had agreed to pay the SEC $35 million to resolve claims that it misled investors by failing to disclose the cybersecurity breach that enabled hackers to steal the personal data of hundreds of millions of Yahoo users. According to the SEC, for more than two years after members of Yahoo’s senior management and legal department learned of the breach, the company failed to properly investigate and disclose the breach to investors. During that time, the company filed several quarterly and annual reports that made no mention of the breach, instead making only vague references to the risk of data breaches in general. The SEC issued a guidance in February 2018 to assist public companies in preparing disclosures about cybersecurity risks and incidents. In it, the SEC clarified that “[c]ompanies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”
Find the SEC press release here.
Read Matthew LaGarde's analysis here.