In February of 2018, the Securities and Exchange Commission released an updated set of guidelines for public companies in disclosing cybersecurity risks and incidents. Though this guidance was presented as a collection of supportive best practices, the SEC has since followed through significantly on these protocols in the form of their ruling on the Yahoo breach revelation.
Altaba, as the remnant of Yahoo! Inc. is now called, was fined $35 million for failing to disclose that their infosec team had discovered that hackers had stolen their customers’ login information. The penalty was levied against Altaba based on several factors, but primarily for failing to fully investigate the incident and properly disclose all of the details to investors.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” said Steven Peikin, Co-Director of the SEC Enforcement Division. Altaba, when it was still Yahoo, knew of the breach in 2014 but did not disclose it, and it was not discovered until 2016 while Verizon was finalizing its acquisition of Yahoo’s assets.
The decision demonstrated the SEC’s commitment to enforcing the new interpretation of cybersecurity obligations, but it also reflects a growing approach towards network security enforcement. Regulatory agencies have begun to expect an improvement of effort on the part of organizations which collect and manage the personal data of their personnel, customers, or membership. This is evident in the severity of some of the punishments, such as when a medical practice network in southern New Jersey was fined over $400,000 by the state for the actions of a contractor which exposed their patients’ information.
Demonstrating best practices in protection non-public personal information (NPI), especially that of clients, is slowly becoming integral to compliance in multiple industries in several nations. Businesses will be increasingly called upon to display methodologies for preventing cybersecurity incidents as well responding to actual network breaches.
Contact us to find out how we can help you review your current network capabilities and ensure that you follow best practices in network security.