In the previous installment, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we explored the text and implications of the recently issued SEC guidance. When that guidance was issued, the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents. But the timing of the issuance of the guidance did make you wonder: was the SEC just taking the opportunity to reiterate and expand on past guidance or was it signaling that an enforcement action might be imminent? Was it just a gentle reminder or a warning shot?
In 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: in April, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
In its Order, the SEC found that, in late 2014, Yahoo learned of a massive cyber breach by hackers associated with the Russian Federation—at that time considered the largest breach of its kind—that affected over 500 million user accounts, resulting in the “theft, unauthorized access, and acquisition of hundreds of millions of its users’ data, including usernames, birthdates, and telephone numbers,” referred to internally as the company’s “crown jewels.” The company neither admitted nor denied the findings in the Order.
By December, the Order indicates, after the company’s information security team had drilled down and reached certain conclusions about the breach (including the hacking of the “email accounts of 26 Yahoo users specifically targeted by the hackers because of their connections to Russia”), the company’s Chief Information Security Officer advised members of senior management and legal teams of the problem. Throughout 2015 and early 2016, the company’s security team found that the same hackers continued to target the company, and by June 2016, the company’s new Chief Information Security Officer concluded and communicated to senior management that the company’s “entire user database, including the personal data of its users, had likely been stolen by nation-state actors through several hacker intrusions (including the 2014 breach), and ultimately could be exposed on the dark web in the immediate future.” But, the Order found, this information was not disclosed.
The Order charges that the company’s “senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading….Furthermore, Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Yahoo did not maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings, including, but not limited to, in its risk factor disclosures or MD&A. To the extent that Yahoo shared information regarding the breach with affected users, they only notified the 26 users whose email accounts were accessed during the breach.”
Observations and Commentary
You might note that there seems to be a certain consistency between the issues identified in this Order and the SEC’s advice in its new guidance on cybersecurity disclosure. For example, the new guidance emphasized the importance of disclosure controls and procedures related to cybersecurity. In that regard, the guidance urged companies to regularly assess whether their disclosure controls and procedures adequately captured information about cybersecurity risks and incidents and ensured that it was reported up the corporate ladder to enable senior management to make decisions about whether disclosure is required and whether other actions should be taken. In addition, given that CEO and CFO certifications required as part of periodic reporting address the effectiveness of disclosure controls, the certifying officers would need to take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents.
In particular, the Order found that the company’s “risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches” that might expose the company to loss and liability “without disclosing that a massive data breach had in fact already occurred.” These risk factor disclosures “misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches.” In addition, according to the Order, the company’s MD&A did not address the breach as a known trend or uncertainty.
Observations and Commentary
In its new guidance, the SEC advised that, in crafting risk factors, companies should consider whether cybersecurity risks and incidents were among the company’s most significant risks, taking into account prior incidents and the probability of occurrence and potential magnitude of future incidents. The SEC emphasized that companies needed to disclose information regarding material prior incidents to provide appropriate context. As emphasized in the guidance, “if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”
In addition, the guidance advised that, in MD&A, companies should consider whether risks related to cybersecurity could represent an event, trend or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity or financial condition. Likewise, a material cyber incident could cause reported financial information not to necessarily be indicative of future operating results or financial condition.
In addition, the SEC found that there were also disclosure violations in connection with the proposed sale of the company’s operating business in July 2016: although the company “was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement [that] was attached to a Form 8-K filed with the Commission on July 25, 2016.”
Observations and Commentary
You might recall that, in 2005, the SEC issued a Section 21(a) Report of Investigation concerning The Titan Corporation, to “provide guidance concerning potential liability under the antifraud and proxy provisions of the federal securities laws for publication of materially false or misleading disclosures regarding provisions in merger and other contractual agreements.” The report enunciated the SEC’s view that disclosures regarding material contractual terms, such as representations, may be actionable and highlighted the SEC’s intent to consider bringing enforcement actions if it “determines that the subject matter of representations or other contractual provisions is materially misleading to shareholders because material facts necessary to make that disclosure not misleading are omitted.” The report emphasized that companies should ensure that disclosures regarding material contractual provisions such as representations are not misleading: “When an issuer makes a public disclosure of information—via filing a proxy statement or otherwise—the issuer is required to consider whether additional disclosure is necessary in order to put the information contained in, or otherwise incorporated into that publication, into context so that such information is not misleading. The issuer cannot avoid this disclosure obligation simply because the information published was contained in an agreement or other document not prepared as a disclosure document.”
In the Order, the SEC also found that, in September 2016, the company issued a press release disclosing the data breach and attached it as an exhibit to a Form 8-K. The company also amended various disclosures, including risk factors and MD&A, to reflect the occurrence of the breach and corrected its prior statements regard the effectiveness of its disclosure controls. The day following the announcement, the company’s market cap fell nearly $1.3 billion. In addition, the disclosure led to a renegotiation of the acquisition agreement, including a 7.25% price reduction.
The SEC concluded that the company “acted negligently in filing materially misleading periodic reports with the Commission” and violated a number of provisions of the Securities Act and the Exchange Act, as well as related rules. In settlement, the company agreed to cease and desist and pay $35 million; Yahoo also agreed to certain undertakings, including cooperation in connection with any further SEC investigation of the matter.