The Securities and Exchange Commission (SEC) warned companies back in 2011 that cyber incidents can be costly (lost revenue, litigation, reputational damage), and therefore may need to be reported to investors. Sure, there’s no specific legal requirements to tell investors about cybersecurity incidents, but public companies are required by the SEC to inform investors in their filings if there’s any news that may impact their investment decisions.
Actual cyber incidents or even potential security weaknesses can be, in legal speak, “material” information that would have to be reported to the SEC immediately in 8-Ks, or in quarterly 10-Qs, and annual 10-K forms. You can read more about what material means in our post on the SEC’s latest guidelines for cyber reporting.
And then along came Yahoo and its massive breach, which occurred way back in 2014, and wasn’t publically reported until 2016. To refresh memories, after more than a two year delay, Yahoo initially said that a mere 1 billion accounts had been stolen, but then later adjusted that number to 3 billion.
This disclosure of this massive breach came out after Verizon had announced its acquisition of Yahoo. This new information ultimately led Verizon to reduce its bid for Yahoo by about $350 million.
If there were ever a test case for the SEC to show that it was serious about enforcing the reporting of material cyber incidents, this would be it.
The SEC Has Spoken
In late April, the SEC announced a settlement with Yahoo, now known as Altaba, in which it agreed to pay a fine of $35 million. I’ve excerpted part of the actual settlement below, because it should be required reading for CSOs, CISOs, CPOs, as well as CFOs and CLOs (but they usually read this kind of thing with their breakfasts):
Despite its knowledge of the 2014 data breach, Yahoo did not disclose the data breach in its public filings for nearly two years. To the contrary, Yahoo’s risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information stored in its information systems … without disclosing that a massive data breach had in fact already occurred.
This SEC action comes on top of a seperate $80 million settlement for a class-action suit brought by investors related to the data breach. There are other law suits pending, and you can read about the whole Yahoo legal mess here.
What Should Yahoo Have Done When it Discovered the Breach?
In December 2015, after Yahoo’s CISO learned that highly sensitive information from well over 100 million users had been hacked, including usernames, email addresses, hashed passwords, and telephone numbers, upper management, including the legal team was informed.
The SEC noted that then “senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filing …”
And the SEC pointed out that upper management didn’t disclose the breach to Yahoo’s auditors or outside counsel to get their advice.
Yeah, they should have filed an 8-K immediately.
More specifically SEC called out Yahoo for not maintaining “disclosure controls and procedures” for reporting and analyzing and assessing both actual security incidents or potential security weaknesses.
In plain speak, companies are supposed to have agreed upon procedures to get cyber security information to management, and higher management needs to have rules in place to guide them on analyzing and disclosing a breach or potential data security risk.
Let’s Go to the SEC Files
To get a sense of how a company reports its cybersecurity status when it wants to say there’s nothing unusual going on, I found a plain, garden-variety example after reviewing some 10-K annual reports on the SEC’s site (and gulping down a few coffees):
You usually can find this kind information in the risk section of the report. In short: this company has the usual standard cyber risk profile, and in their case, there is currently no serious cyber incidents impacting them.
Then I looked at Yahoo’s annual report from 2016 when they discussed, what they refer to as, “the security incident” for the first time.
Obviously, this information should have been reported much earlier, but note that Yahoo discusses the PII that was exposed along with the extent of the exposure – at least 500 million accounts—and the status of their current investigation.
CFO Learns Programming
In the next post, I’ll provide more details and some advice about what public companies need to be doing to meet the SEC’s data security reporting guidelines. However, it’s clear from reading their latest guidance from earlier this year – and I’m saying that as a blogger, not as a compliance attorney – that C-Levels will be forced to learn basic computer and data security knowledge.
To make the SEC (and investors) happy, public companies should go beyond having breach disclosure procedures in place. At some point, the raw intelligence will need to be examined by well-informed decision makers at the top. As the SEC guidance points out, companies should “evaluate the significance associated with such [cyber] risks and incidents.”
In other words, the CEO, CFO, and the legal team will need to acquire the appropriate technical background to understand what it means when, say, an assessment report says that your customers credit card directory has an “Everyone” ACL, or that a hashed password file was stolen but can be easily cracked.
I’m not saying your CFO should take Computer Science 101 and understand what hashing means — thought it’s not a bad idea! — but the C-suite should have the technical and infosec context so they can make the right evaluation!
More C-suite infosec wisdom next time.