On the heels of publishing disclosure guidance, the SEC has issued an order in its first-ever action against a public company for failing to disclose a material data breach. Altaba Inc. (formerly known as Yahoo) has agreed to a $35‑million fine to settle SEC accusations that it failed to promptly notify investors about its massive 2014 data breach in which hackers stole personal data relating to hundreds of millions of user accounts. The SEC’s cease-and-desist order highlights the nearly two-year delay in fully investigating and notifying the public of the event. During this time period, Yahoo included generic descriptions of its cybersecurity risk factors and incident history in its Forms 10‑K and 10‑Q filings, the order explains. This article analyzes the order and provides lessons to fund managers on disclosing cybersecurity breaches. See “SEC Confirms Cyber Disclosure Expectations in New Guidance
” (Apr. 26, 2018).