Last April, the Securities and Exchange Commission (SEC) reached a settlement of $35 million with Altaba, Inc. over charges that the company misled investors by failing to disclose a massive 2014 cyber breach.
The settlement against Altaba, formerly known as Yahoo! Inc., came just a few months after the SEC published new guidance on cybersecurity disclosures.
While this SEC enforcement action was the first of its kind, it, along with the release of the 2018 guidance and the increasing frequency of cybersecurity-related comments from the agency, signaled the SEC's heightened attention to cybersecurity disclosure and the need to properly and promptly disclose breaches.
Such disclosure decisions, however, can be difficult for directors and officers and should be handled carefully in light of the possible business, financial and legal implications.
When a U.S. public company suffers a cybersecurity attack, its directors and officers have a responsibility to ensure that their company takes appropriate steps to investigate, evaluate and remedy the breach. Presently, there are no explicit cybersecurity disclosure requirements, which has led to uncertainty around a company's duty to disclose.
For example, when Home Depot, EMC and Heartland Payment Systems endured cyber attacks, each company elected to file a standard investor notification document known as Form 8-K to report the event while others, such as Target, Altaba and Michael's stores, did not.
Absent explicit disclosure requirements, the duty to disclose is evaluated using conventional disclosure principles, which turn upon whether or not the information or event is "material."
Information is material if there is a substantial likelihood that it would be viewed by a reasonable investor to have significantly altered the total mix of available information. Materiality judgments necessarily vary from company to company and a public company must weigh numerous qualitative and...