Yahoo’s Cyber Breach Disclosure Penalty: Would Your D&O or Cyber Insurance Cover an SEC Fine?

The US Securities and Exchange Commission’s $35 million settlement with Altaba, the company formerly known as Yahoo, highlights the need for companies to understand how their directors and officers liability (D&O) and cyber insurance policies might respond to securities-related regulatory activity. The settlement reflects the SEC’s stated mission of making cyber-based threats a focus of this administration and is the first securities-related regulatory action arising out of a cyber incident.

The SEC Settlement

On April 24, the SEC announced the settlement of its enforcement action arising out of Yahoo’s two-year delay in reporting what it characterized as “one of the world’s largest data breaches,” which occurred in 2014. At issue, among other things, are Yahoo’s purported material misstatements and omissions regarding the breach. The company represented in its regulatory filings that it faced a risk of potential future data breaches that might expose it to loss despite knowing of the actual breach. In fining Yahoo, the SEC determined that the company committed various securities law violations and acted negligently in filing materially misleading reports with the agency. 

Risk for Companies and their Directors and Officers

While this is the SEC’s first securities-related regulatory action arising out of a cyber incident, it likely won’t be the last. Whether the fines at issue will be deemed covered under D&O and/or cyber insurance will vary, based on both policy wording and the settlement itself. 

Directors, officers, and the companies they serve should prepare for more potential actions by carefully reviewing their D&O coverage with a skilled advisor. Among other items, pay close attention to:

• Whether the policy includes entity regulatory investigation coverage.
• Whether coverage exists for entity regulatory proceedings.
• The breadth of coverage for fines, penalties, and punitive damages.
• What is included and excluded from the policy’s definition of “loss.”
• The breadth of conduct exclusions and whether there are other potentially limited exclusions — specifically, a privacy exclusion.
• The policyholder’s consent and notice obligations.
• The extent of pre-claim inquiry coverage for directors and officers and indemnification language in the policy.

Similarly, you should carefully review your cyber policy. Among other questions, you should seek answers to the following:

• What is the breadth of the regulatory coverage grant in your policy? Are investigations or requests for information covered? Does the SEC meet the definition of regulatory bodies covered under the policy?
• Is the regulatory fine/penalty coverage grant limited only to certain regulations? And how is the ultimate penalty framed — for a violation of SEC disclosure rules or for the breach itself?
• What is the insurability in the jurisdiction of the regulatory fine?
• What are the nuances of the securities exclusion? Does it apply only to the Securities Act of 1933 and the Securities Exchange Act of 1934? Are there carvebacks to the exclusion for failure to disclose a breach?

The SEC’s settlement with Yahoo demonstrates the agency’s growing focus on cyber-related disclosure protections. That means now is the time to make sure companies and their directors and officers have the insurance protection they need.