November 14, 2016
Senior Associate Ken D. Kronstadt was quoted in the Bloomberg BNA article “Yahoo Knew About State-Sponsored Cyberattack in 2014: Quarterly Report” discussing the 2014 claim by Yahoo that hackers stole data from more than 500 million accounts. The company reported the cyberattack in mid-2016 when they merged with Verizon Communications Inc.
In 2011, a few years before Yahoo’s cyberattack, the SEC Division of Corporate Financial issued a guidance discussing obligations relating to cybersecurity risks and incidents. “Although disclosure of cybersecurity liability isn’t required, the Securities and Exchange Commission guidance does require reporting of cybersecurity incidents,” said Kronstadt.
Consistent with the SEC’s guidance, Yahoo recently disclosed in a Form 10-Q that the company did not have cybersecurity liability insurance. “Such a disclosure to the SEC isn’t surprising because investors would want to know about such incidents,” added Kronstadt. “Companies should brace themselves for more stringent reporting requirements in the future.”