A large publicly traded internet media company agreed to pay a $35 Million fine and cooperate with investigators for failing to timely disclose a hacker breach of more than 500 million client accounts. The SEC charges that the respondent waited nearly 2 years before disclosing the breach, during which time it filed misleading annual reports and Form 10-Ks and 10-Qs. Additionally, the SEC accuses the company with filing a stock purchase agreement (as part of Form 8-K) that included misrepresentations about security breaches, thereby leading to a $350 Million reduction in the purchase price. A senior SEC official advised: “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
OUR TAKE: When it comes to cybersecurity incidents, time is not on your side. Because of the potential harm to clients and investors, it is better to provide immediate disclosure that will be followed up with additional information rather than waiting and thereby compounding the potential harm. Hacked firms must move quickly to investigate, assess, and remediate the harm to minimize damages.