In yet another knock on edge providers getting pounded in Washington, the Securities & Exchange Commission said Yahoo! (now Altaba Inc., owned by Verizon) has agreed to pay $35 million to settle charges it misled investors about a 2014 data breach affecting hundreds of millions of users' accounts.
The SEC said that while the breach -- by Russian hackers -- was reported to senior management and legal, Yahoo! failed to properly investigate the breach or consider whether it was the sort of material fact that had to be disclosed to investors, who did not learn about the breach until 2016, when Yahoo! was closing on its sale to Verizon.
The SEC signaled that while it gave companies leeway about decisions on when to notify, Yahoo! was beyond the bounds.
"We do not second-guess good-faith exercises of judgment about cyber-incident disclosure, said SEC Enforcement Division co-director Steven Peikin. "But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case."
In addition to failing to notify investors, the SEC said, "Yahoo! failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure."
The SEC in February provided guidance to help companies like Yahoo! make such assessments.
Yahoo! did not admit or deny the SEC's findings. The SEC also said its investigation of the company continues.
In a tweet following the settlement, Sen. Mark Warner (D-Va.), ranking member of the Senate Banking Subcommittee on Securities, Insurance and Investment and co-founder of the Cybersecurity Caucus, suggested it was about time the SEC acted. He had called for the SEC investigation back in 2016.