When Yahoo revealed in September 2016 that its systems had been hacked, two things about the disclosure were shocking.
The sheer size — 500m compromised accounts — was astonishing. More troubling, in particular for Verizon, which had just agreed to pay $4.5bn to acquire most of Yahoo’s assets, was the fact that the company had kept the breach secret for two years, even when Verizon asked for details of cyber security incidents before the deal.
Yahoo, or Altaba, as it is now known, in April became the first company to receive a fine — $35m — from the Securities and Exchange Commission for failure to disclose a cyber attack.
Although the Yahoo case is extreme, it is the latest signal for companies about how to handle the aftermath of a cyber attack. In its findings the SEC noted that while Yahoo’s failure to disclose the breach was bad, the lack of a proper process to make that decision was even worse. Altaba did not admit or deny the SEC’s findings in the settlement.
The message from the Yahoo fine was clear, says Doug Davison, a partner at law firm Linklaters and previously counsel to former SEC chairman Arthur Levitt. “When you have a problem, go to the lawyers, go to the auditors. Get your disclosure procedures in place. And don’t sit on it,” he says.
He says companies must be prepared to be challenged on their judgment of whether an attack is ‘material’ enough to require disclosure.
Cyber security disclosures have been a priority for the SEC for years, as it recognised the operational and financial impact breaches have had on publicly traded companies. In February, the agency issued guidance on how businesses should handle disclosure, telling them to consider the materiality of any hacks and warning that an ongoing investigation was no reason to keep a breach secret.
The SEC pointed to several failings when it settled with Yahoo. Senior management learnt of the 2014 breach within days, along with the company’s legal team, but did not share the knowledge with Yahoo’s auditors and external lawyers. They did not properly assess the scope or the business impact of the breach.
Companies remain unsure how best to inform the public about cyber security problems, says Cara Peterman, a partner at law firm Alston & Bird, who did not comment directly on Yahoo’s case. Information can change quickly in the early stages of an investigation, she says.
“To be able to make a determination whether this is a breach that is significant enough to be disclosed can change on an hourly basis,” she says, recalling situations where the number of suspected affected accounts can go from 100,000 to as few as 100.