Cybersecurity Disclosures, Yahoo and the SEC

It’s 2017, and at this point everyone understands that cybersecurity is a board-level issue that needs to be to be addressed proactively. However, even as far back as 2011, fresh off the heels of a massive data breach involving Wyndham, the Securities and Exchange Commission was reminding public companies of their obligation to disclose cyber issues to investors in a timely manner.

That’s when the SEC released its guidance on disclosing cybersecurity risks and incidents. While not a rule or regulation, the SEC offered its view on how public companies should handle such disclosures in various scenarios.

And, as we’ll explore, it seems that this guidance may now be part of the basis of an investigation into Yahoo.

The SEC had not previously brought a case against a company or its Ds and Os for cyber disclosure failures. Some believe that the SEC has been waiting for an enforcement opportunity to show how the guidance should be interpreted and implemented.

Enter Yahoo. In January 2017, reports came out that the SEC was investigating Yahoo for not disclosing promptly enough the significant data breach it suffered in 2014. According to the press, disclosures about these breaches were made only in 2016—after the planned sale of the company to Verizon Communications was announced.

(The acquisition still looks to be on, though Verizon has slashed its offer price at the time of writing, CEO Marissa Mayer lost out on her bonus and stock award, and the company’s general counsel resigned without severance pay.)

In addition, as a result of the data breach disclosures, Yahoo also finds itself in the midst of class action lawsuits from both consumers and shareholders alike for negligence and other claims.

Further, in its November 2016 quarterly report on form 10-Q, Yahoo disclosed that “the Company is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York. ”

From an insurance perspective, the lawsuits brought against Yahoo Ds and Os look like the kind of thing that would fall within a D&O insurance policy as a classically covered claim. There’s no reason to think that D&O insurance would fail to respond just because the underlying issue relates to a cyber breach.

On the other hand, government investigations of corporate entities are typically not automatically covered by a technology company’s D&O insurance policy. In the current insurance market, however, there are some insurance products that would respond.

The private plaintiff litigation from shareholders isn’t a surprise outcome. On the seriousness scale, however, private plaintiff litigation really takes a back seat to investigations by government entities like the SEC.

While it’s not possible to speculate on the outcome of the SEC investigation into Yahoo in an informed way, the fact remains that this investigation is a timely reminder for all public company directors and officers that this is an area of disclosure that the agency takes seriously.

As a result of its investigation, the SEC may very well issue additional interpretive guidance for cyber disclosures, like it has done in the past with things like non-GAAP financials.

Some companies aren’t waiting to enhance their cyber disclosures. For example, according to the Wall Street Journal, 17 companies disclosed breaches to the SEC in 2016. On the other hand, it seems likely that more than 17 companies had breaches in 2016.

From the Wall Street Journal:

Many hesitate to do so, because offering too much or too little information to investors can hurt companies. On the one hand, investors may feel management or boards tried to hide a problem or failed to disclose a breach in a timely way. On the other, too much disclosure could cause investors to bid down a company’s stock price, even if a later investigation reveals little impact on the business, according to experts.

Although some companies may feel hesitant to be aggressive when it comes to cybersecurity disclosures, this latest case with Yahoo tells us that the stakes are high if you find yourself with a significant data breach on your hands and the SEC decides the disclosure to investors was not timely enough.