Hacked by Russia? No Shield From Disclosure Duty, SEC Says

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

By Andrew Ramonas

The company formerly known as Yahoo! Inc. has become the first corporation to learn the SEC will penalize a firm for alleged disclosure failures related to a cybersecurity breach, even if foreign government agents are allegedly behind the attack.

Yahoo, now known as Altaba Inc., agreed to pay $35 million to resolve claims it delayed telling investors about a cyber intrusion that allegedly allowed Russian hackers to steal personal data concerning hundreds of millions of user accounts, the Securities and Exchange Commission said April 24. The first-of-its-kind SEC case came after agency Chairman Jay Clayton said last year that the commission should be “cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations.”

The identity of the perpetrator of a breach may somehow excuse a company from publicly disclosing information about the hack, SEC Enforcement Division Co-Director Steven Peikin told reporters after the agency announced the Yahoo settlement. But the hackers’ identity “doesn’t provide any insulation to a company from potential liability for failing to provide material disclosures to its investors,” he said.

“We’re not looking to second-guess good-faith disclosure decisions or be unsympathetic to the perils that companies face from these kinds of intrusions,” Peikin said. “This case, I think, based on our allegations represents a very, very substantial shortfall in even the modest expectations of what companies should be doing in these situations.”

An Altaba spokesman declined to comment.

‘Significant Penalty’

Clayton made the remarks about cybersecurity in his first policy speech as SEC chairman in July 2017. Companies have a “clear obligation to disclose material information about cyber risks and cyber events,” he said then, but added that they’re up against nations that “have resources far beyond anything a single company can muster.”

“The SEC needs to have a broad perspective and bring proportionality to this area that affects not only investors, companies, and our markets, but our national security and our future,” he said at the time.

It’s unclear how the SEC decided on the penalty for Yahoo. Peikin declined to discuss the agency’s thinking but said he hopes companies will recognize it as a “significant penalty” for a cybersecurity case.

“I’m not sure it’s really fair to characterize the fine as a small one given that it’s the first one of this type that’s ever been issued,” Peikin said.

The case is In re Altaba Inc. , S.E.C., Admin. Proc. File No. 3-18448, 4/24/18 .

To contact the reporter on this story: Andrew Ramonas in Washington at aramonas@bloomberglaw.com

To contact the editor responsible for this story: Seth Stern at sstern@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Securities & Capital Markets on Bloomberg Law