April 25, 2018

Cybersecurity: SEC Sends Yahoo! a $35 Million Message

When the SEC issued new cybersecurity disclosure guidance earlier this year, you just knew that a “message” enforcement action couldn’t be too far behind.  Yesterday, the SEC delivered that message to Altaba (f/k/a Yahoo!) – in the form of this consent order & accompanying $35 million civil monetary penalty.

The action focused on alleged disclosure shortcomings associated with the company’s massive 2014 cyber breach.  Here’s an excerpt from the SEC’s press release:

The SEC’s order finds that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.

In addition, the SEC’s order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.

Without admitting or denying the SEC’s allegations, the company consented to an order requiring it to cease and desist from further violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15.

In addition to alleged shortcomings in Yahoo!’s periodic reports, the order calls out this Form 8-K filing announcing its deal with Verizon as another source of disclosure violations. The order notes that despite the company’s awareness of the breach, the stock purchase agreement filed with that 8-K contained affirmative reps & warranties by Yahoo! denying any significant data breaches.

The SEC’s use of reps & warranties as a premise for disclosure violations hearkens back to the 2005 Titan 21(a) report. After Titan, it became customary to include disclaimers clarifying that  reps & warranties weren’t intended to be affirmative statements of fact. Those disclaimers were prominently displayed in Yahoo!’s 8-K, but they didn’t make much of an impression on the Division of Enforcement. We’re posting the related memos in our “Cybersecurity” Practice Area (see this Cooley blog – and D&O Diary blog).

Auditor’s Reports: What Can KAMs Tell Us About CAMs?

As companies & auditors wrestle with the implications of the PCAOB’s new audit report standard, companies in the rest of the world are assessing the early returns from changes to their audit reports that were adopted by the IAASB in 2014.

The IAASB’s new format required auditors to include a discussion of “key audit matters” – known as “KAMs” – in their audit reports. KAMs are matters communicated to those charged with governance that, in the auditor’s professional judgment, were of most significance in the audit. That’s a pretty close analog of the PCAOB’s “critical audit matters” – known as “CAMs” – which are matters communicated to the audit committee that relate to material accounts or disclosures and involve complex auditor judgment.

Concern have been expressed about the PCAOB’s new standard – and the CAMs concept in particular. Most critics have suggested that auditors will result to defensive disclosures of CAMs and will use “boilerplate” to protect themselves. But this recent report from the Association of Chartered Certified Accountants says that these concerns may be overblown. Here’s an except:

While these concerns are reasonable, ACCA’s research and roundtable feedback did not indicate that either of them is actually happening. And while there was evidence of common innovations among audit firm networks, ACCA has not seen widespread sharing of standardised wording. While the US legal environment is distinct from that of other countries, ACCA nevertheless believes that there are grounds to be optimistic about how the publication of critical audit matters will affect the financial reporting supply chain.

Tomorrow’s Webcast: “The Latest on ICOs/Token Deals”

Tune in tomorrow for the webcast – “The Latest on Token Deals” – to hear Pillsbury Winthrop’s Daniel Budofsky, Morrison & Foerster’s Susan Gault-Brown, Hunton Andrews Kurth’s Scott Kimpel and Smith Anderson’s Margaret Rosenfeld review the mechanics of ICOs/token deals as well as the latest trends & developments.

John Jenkins