“We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” said Steven Peikin, Co-Director of the SEC Enforcement Division.
Lack of Cyber-Disclosure and Fine
The fact remains that Yahoo’s failure to implement the appropriate controls to assess its cyber-disclosure obligations constitutes an unprecedented level of neglect. The expectation is that public companies possess the controls and procedures to properly evaluate and mitigate cyber incidents. Equally paramount is Yahoo’s responsibility to disclose material information to investors in a timely manner.
Yahoo neither admits nor denies the findings of the SEC order, and pays the $35 million fine.
