Recent SEC Settlement is Cautionary Tale for Canadian Public Issuers on Disclosure of Cyberincidents and Related Risks
May 15, 2018
On May 15, 2018, McCarthy Tetrault LLP published an article on how the Securities and Exchange Commission’s (SEC) first enforcement action against a public issuer for failure to make timely disclosure of cyberincidents may be a wake-up call for Canadian public issuers and their directors and officers.
On April 24, 2018, the SEC announced that Altaba Inc. had agreed to pay a USD$35 million penalty to settle disclosure charges relating to a December 2014 cyberincident. Altaba settled without admitting or denying any wrongdoing. Among other things, the SEC settlement noted:
- Altaba failed to properly investigate the circumstances of the breach.
- Altaba did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.
- Altaba did not include information regarding the breach in its quarterly or annual public filings in 2015 or 2016 even though it learned that cyberattack attempts by the same hackers continued.
Review the full article on McCarthy Tetrault's website.