Understanding Regulatory and Court Orders (Altaba / Yahoo — SEC)¶
Table of contents¶
- 1. SEC cease-and-desist order (File No. 3-18448)
- 2. Consolidated view: findings and undertakings
- Appendix: Citation format
Purpose¶
Summarize the SEC’s order instituting cease-and-desist proceedings against Altaba Inc., f/d/b/a Yahoo! Inc.—official links, principal findings on cybersecurity disclosure, and remedial requirements—so security, legal, and finance can align incident response with disclosure controls.
1. SEC cease-and-desist order (File No. 3-18448)¶
Official document¶
Order Instituting Cease-and-Desist Proceedings, Making Findings, and Imposing a Cease-and-Desist Order — In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc.
SEC Administrative Proceeding File No. 3-18448; Securities Act Release No. 10485; Exchange Act Release No. 83096; Accounting and Auditing Enforcement Release No. 3937
April 24, 2018
- Official PDF: SEC order (PDF)
- EDGAR exhibit (HTML): Exhibit 99.1
Summary of Commission findings (condensed)¶
The Commission’s findings (as described in the order) concern Yahoo’s failure to disclose a massive 2014 data breach involving personal data relating to hundreds of millions of user accounts. Yahoo’s information security team learned of the intrusion within days, but for approximately two years the company did not disclose the breach to investors in its periodic reports. Filings during that period described data-breach risk in generic terms rather than informing investors that a specific large-scale breach had occurred. The order also describes failures to maintain disclosure controls and procedures designed to ensure that information about the breach reached relevant decision-makers for assessment under the federal securities laws, including issues around sharing information with auditors and outside counsel for disclosure analysis.
Key interpretation (for security and disclosure teams)¶
The matter treats cyber incident knowledge in security and IT as potentially material non-public information that must flow through disclosure controls. Technical detection is not enough if the enterprise cannot escalate, document, and evaluate the incident for reporting purposes.
2. Consolidated view: findings and undertakings¶
| Topic | Order / findings | Practical takeaway |
|---|---|---|
| Timely disclosure | Specific breach not disclosed for an extended period while generic risk language continued | Escalate confirmed incidents to disclosure committee with clear SLAs |
| Disclosure controls | Inadequate procedures to ensure breach information reached those responsible for filings | Map security alerts to disclosure workflow and owners |
| Auditor / counsel interface | Information not shared appropriately to assess reporting obligations | Predefine legal and audit touchpoints for significant incidents |
| Sanctions | Cease-and-desist; civil money penalty ($35 million in order) | Treat securities exposure as a first-class incident outcome |
Appendix: Citation format¶
Cite the administrative order as: In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., SEC Administrative Proceeding File No. 3-18448, Order Instituting Cease-and-Desist Proceedings (Apr. 24, 2018).