The SEC has apparently launched an inquiry into whether Yahoo and its employees violated federal laws requiring public companies to report cyber-incidents as soon as they are likely to impact shareholders. Yahoo suffered at least two major breaches in recent years - one in 2013 and one in 2014 - and neither was disclosed until late in 2016. In a worst case scenario for Yahoo (and its shareholders and its employees), the SEC could conclude that the firm or one or more of its workers illegally covered-up one or more breaches; such findings could lead the SEC to seek civil damages or even bring criminal charges against the firm and/or one or more of its employees.
In fact, a statement made in a Yahoo SEC filing last year that the company is cooperating with law enforcement agencies including "the U.S. Attorney's office for the Southern District of New York" implies that criminal charges may be under consideration -- that office frequently prosecutes Federal computer-crime-related cases.
One of the troubling factors in the Yahoo case that likely contributed to the SEC's desire to conduct a formal investigation is that (as Yahoo admitted in the aforementioned SEC filing) several of Yahoo's employees reportedly knew about the 2014 breach - which impacted hundreds of millions of user accounts - soon after it occurred, yet the firm did not disclose that breach to the public until late in 2016 - leaving innocent people in the dark (and potentially at unnecessary risk) for quite some time. Last year, Senator Mark Warner (a Democrat from Virginia), then a member of the Senate Banking committee, publicly called for the SEC to investigate Yahoo's 2014 breach and let the public know its findings, stating that "Yahoo's September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."
Not coming clean in a timely fashion about a cyber-breach is a serious matter - and creates opportunities for all sorts of financial improprieties. If anyone profited from insider information by acting on knowledge of the breach while he, she, or others were covering it up, for example, it is easy to understand why that person could face jail time for insider trading.
But the issue is much broader.
How many people bought or sold Yahoo stock between the time Yahoo employees discovered the breaches and the time that the firm disclosed the breaches to the public? Did anyone with insider knowledge of either breach advise anyone on the outside? Did anyone profit from that insider information? Did any employees receive compensation based on company-stock performance that was effectively distorted by a breach being covered up? Was breach information withheld from Verizon - which announced in July 2016 that it would acquire Yahoo? Did other firms expend resources in M&A talks with Yahoo that they would not have held had they known the same information about the breaches that Yahoo employees knew? With these questions and various others in mind it is not hard to understand why any intentional cover-up by anyone within Yahoo's organization could warrant severe consequences. There is also the issue of Yahoo's internal policies and controls - the government may seek to determine if the firm fostered an environment in which breaches would be properly reported, if the individuals who did not report the breach did so because they were de facto incentivized to keep quiet, or whether reality was somewhere in between.
What do you need to do to protect your own business?
1. Understand the disclosure laws that apply to you.
Remember, cyber-breach disclosure laws vary from state to state, but SEC guidelines impact every public company in the country. Depending on how things play out, the Yahoo case may help establish new case law and precedents regarding when firms nationwide must disclose breaches.
2. Ensure that your cybersecurity plan includes not only how to protect your organization, but also a clear, written, incident-response plan.
The plan should include specific, detailed mechanisms for determining what needs to be disclosed to the public, and the procedures for making such disclosures in a timely fashion. You want a clear step-by-step instruction check list; when a breach occurs you may be under significant stress - "winging it" is a recipe for disaster. Disclosing breaches may sound simple and straightforward, but it is not; even in recent years, many organizations have not successfully disclosed breaches, even when members of the information-security community suspects that the breaches occurred. As Ondrej Krehel, CEO at cyber-forensics firm, LIFARS, told me "Notifying and declaring a data compromise in a timely manner to those who have been affected and in some instances, to the general public, has been a challenge for many enterprises." Krehel pointed out to me that there are even organizations whose servers are listed on xDedic -- an underground market on which hackers sell illegal remote access to hacked servers - that have not disclosed relevant breaches. Think about that for a moment.
3) Make sure that your incident-response plan includes clear instructions as to what to disclose and how to do so.
As Dana Simberkoff, Chief Compliance and Risk Officer at AvePoint, put it, "It is not enough to issue a vague public statement -- companies need to provide context, including how the situation will impact victims and what the long-term consequences are." Remember that any evasiveness could make a bad situation much worse. As Simberkoff pointed out, "Trust is something that businesses must work to establish with their customers every day. Once lost, it is very difficult to regain."