The US Securities and Exchange Commission is investigating Yahoo’s failure to disclose a massive cyber attack for nearly two years even as it pursued a sale of its core business.
SEC officials opened a formal investigation in December, according to a former commission official, one month after Yahoo said it was “co-operating with federal, state, and foreign governmental officials and agencies seeking information and/or documents” about a 2014 hack that affected more than 500 million Yahoo accounts.
The existence of a formal investigation gives the commission authority to subpoena documents from Yahoo and related parties. Along with the SEC, federal prosecutors in Manhattan, the US Federal Trade Commission and several state attorneys-general are looking into the matter, Yahoo said.
The SEC has never brought an enforcement action against a public company for failing to make a timely disclosure of a cyber-security incident, according to Kim Phan, a data security specialist at Ballard Spahr in Washington. "The SEC is looking for an opportunity to bring that type of action," said Mr Phan. "Cyber is such a hot topic. They want to be in there."
Verizon deal
Yahoo said in September that the details of 500 million accounts had been hacked two years earlier. That disclosure came two months after Verizon agreed to buy the one-time internet star for $4.8 billion. Two weeks before the announcement, the company had said it was unaware of “any incidents” of “security breaches, unauthorised access or unauthorised use” of its IT systems.
Senator Mark Warner, a member of the Senate intelligence and banking committees, wrote to then-SEC chair Mary Jo White in September to urge an investigation, citing "serious concerns about truthfulness" on the part of Yahoo's senior executives.
Yahoo blamed the intrusion on a “state-sponsored” hacker, but has not explained its decision not to make the incident public. Last month, the company disclosed a separate hacking incident affecting an additional billion customers.
In response to the second incident, Verizon said it would “review the impact of this new development” before deciding how to proceed with its Yahoo deal.
In 2011, the SEC issued guidance for public companies on how to disclose cyber-security incidents. But executives have struggled to determine which cyber attacks are material from an investor’s perspective when most companies are struck on a near-daily basis. Most such attacks also have had little lasting impact on stock prices.
"Since 2011, they've been hunting and fishing for a disclosure case and it's been difficult for them," said John Reed Stark, former head of the SEC office of internet enforcement. "It's a very subjective definition and difficult to determine materiality." – (Copyright The Financial Times Limited 2017)