SEC Incorporates Cybersecurity Considerations in Disclosure and Supervisory Programs




Posted by on December 08, 2017

SEC Incorporates Cybersecurity Considerations in Disclosure and Supervisory Programs- The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the SEC’s review of public company disclosures. On September 26, 2016, Senator Mark R. Warner (D-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the bipartisan Senate Cybersecurity Caucus, wrote a letter to the SEC requesting that they investigate whether Yahoo, Inc., fulfilled its disclosure obligations under the federal securities laws related to a security breach that affected more than 500 million accounts. Senator Warner also requested that the SEC re-examine its guidance and requirements related to the disclosure of cybersecurity matters in general.

Senator Warner’s letter was precipitated by a September 22, 2016, 8-K and press release issued by Yahoo disclosing the theft of certain user account information that occurred in late 2014. The press release referred to a “recent investigation” confirming the theft of user account information associated with at least 500 million accounts that was stolen in late 2014. Just 13 days prior to the 8-K and press release, on September 9, 2016, Yahoo filed a preliminary 14A filing with the SEC related to the sale of Yahoo’s operating business to Verizon Communications, Inc., in which it stated that it did not have any knowledge of “any incidents of, or third party claims alleging… unauthorized access” of personal data of its customers that could have a material effect on the Verizon-Yahoo transaction.

It turned out that Yahoo’s disclosure was correct, at least to the extent that neither the breach nor the disclosure had a material effect on the Verizon transaction which closed in June, 2017.

The September 22 filing was the first disclosure by Yahoo of the hack and has raised many questions as to when it knew about the 2014 cyberattack and what its duties were to make public disclosure of same. The hack has also raised questions related to the SEC’s current rules and thresholds for how and when companies need to report a material data breach. It is expected that SEC guidance in this regard will be updated in the near future but in the meantime, in the next few Lawcasts in this series, I will summarize the guidance as it stands today.