a Yahoo! Inc.)¶

Use this to brief executives and counsel.

Purpose¶

This board brief provides decision-useful context for the SEC’s April 2018 order against Altaba/Yahoo: cybersecurity intrusion disclosure failures, disclosure controls and procedures, and oversight of incident-to-investor communications. It is designed to help the board evaluate governance adequacy, remediation priority, and reporting cadence across legal, technical, and operational dimensions.

Hallucinated writing examples¶

Scenario: In an illustrative period immediately following the SEC cease-and-desist order (time), the Chief Information Security Officer (role) prepares a board security brief (type) for Board Audit Committee (audience).

MEMORANDUM

To: Board Audit Committee
From: Chief Information Security Officer
Date: May 10, 2018
Subject: Board Security Brief — SEC Administrative Order (File No. 3-18448); Cybersecurity Disclosure and Controls

This memorandum summarizes the Commission’s April 24, 2018 administrative order against Altaba Inc., f/k/a Yahoo! Inc. (File No. 3-18448), including a civil money penalty and cease-and-desist findings relating to disclosure of a 2014 intrusion affecting hundreds of millions of user accounts and the timeliness and adequacy of public reporting. The company neither admitted nor denied the findings. Findings below are drawn from the order; internal facts must be confirmed against company records.

Incident Summary: The order describes a 2014 intrusion of massive scale and states that information security personnel confirmed unauthorized access within days, while investors did not receive adequate disclosure in Exchange Act reports for approximately two years. Disclosure ultimately occurred in connection with public events including M&A-related reporting, as described in the order and public materials.
The enforcement outcome elevates board focus on the interface between confirmed cybersecurity facts and disclosure controls, materiality analysis, and auditor coordination.

Regulatory and Legal Outcomes: The SEC imposed a cease-and-desist order and civil money penalty. Private securities litigation risk and regulatory examination interest typically increase after such orders. Management must maintain documentation supporting escalation timelines, disclosure committee decisions, and retention of security logs and tickets under legal hold.

Control Failures and Root Causes: The order and related public narratives highlight:

Weaknesses in disclosure controls and procedures for routing confirmed cybersecurity facts to Legal, Finance, and the disclosure committee;
Insufficient alignment between security monitoring evidence and periodic reporting judgments;
Retention and accessibility gaps for logs and investigation artifacts needed to support accurate external statements;
Board reporting that may have relied on generic risk factors without timely specificity on known incidents.

These areas are the focus of our remediation plan.

Remediation and Oversight Program: The Company is formalizing written escalation triggers from security to disclosure counsel, disclosure committee charter updates, joint tabletop exercises, SIEM retention expansion for investigation-relevant systems, and SOX-style testing of disclosure controls for cyber scenarios with documented exception handling.

Approval and Endorsement Requests: Management requests the Committee’s approval of the incident-to-disclosure escalation policy; endorsement of budget for logging retention and GRC tooling; and confirmation of quarterly reporting on time from incident confirmation to disclosure committee briefing and on open audit findings related to disclosure controls.

Please let me know if additional information or further detail would be helpful.

Respectfully submitted,

Chief Information Security Officer

Document-type guide: Board Security Brief

Writing tips: Writing best practices — Board Security Brief