In a development in an enforcement action that is the first of its kind, the SEC has levied a $35 million penalty against Altaba, Inc. as successor in interest to Yahoo, for Yahoo’s two-year delay in reporting the massive data breach the company experienced in December 2014. Altaba, which neither admitted nor denied any wrongdoing, agreed to pay the penalty as part of the settled resolution of SEC cease-and-desist proceedings. The penalty follows the SEC’s recent release of cybersecurity disclosure guidance for reporting companies and clearly indicates that the agency is increasingly focused on companies’ cybersecurity disclosure practices. The SEC’s April 24, 2018 press release about the penalty can be found here. The SEC’s April 24, 2018 order in the cease-and-desist proceedings can be found here.
Continue Reading First-Ever SEC Data Breach Disclosure Enforcement Penalty Imposed

David Fontaine
John Reed Stark

As I noted in a post at the time, on February 21, 2018, the SEC released its cybersecurity disclosure guidance for publicly traded companies. In the following guest post, David Fontaine, CEO of Kroll, Inc. and its parent, Corporate Risk Holdings, and John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, take a look at the SEC’s guidance, with a particular focus on what the agency’s statement has to say about the duties of corporate directors. A version of this article originally appeared on The Harvard Law School Forum on Corporate Governance and Financial Regulation (Here). I would like to thank David and John for their willingness to allow me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David and John’s article.
Continue Reading Guest Post: Cybersecurity: The SEC’s Wake-Up Call to Corporate Directors

John Reed Stark

As I noted in a post at the time, on February 20, 2018, the SEC issued its guidance for cybersecurity-related disclosures. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, has pulled together of list of 12 takeaways for corporate officials from the SEC’s guidance. I would like to thank John for his willingness to allow me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: A Dozen C-Suite Takeaways from the 2018 SEC Cyber-Disclosure Guidance

After a bit of last-minute drama, the SEC on Wednesday issued its guidance for public company cybersecurity disclosures. The Commission’s guidance document emphasizes companies’ disclosure obligations under existing law and requirements. The statement also underscores the Commission’s concerns about insider trading prohibitions and the obligation of reporting companies to refrain from making selective disclosures about nonpublic information. As discussed below, the Commission’s Democratic members criticized the statement for not going far enough. The Commission’s February 21, 2018 press release about the cybersecurity disclosure guidance can be found here. The Commission’s statement and guidance on cybersecurity disclosure can be found here. SEC Chair Jay Clayton’s statement about the Commission’s guidance can be found here.
Continue Reading SEC Releases Cybersecurity Disclosure Guidance