The Securities and Exchange Commission announced an unprecedented $35 million cybersecurity penalty last week against Altaba Inc., putting other publicly traded companies on notice.
The financial regulator claimed Altaba, formerly known as Yahoo Inc., brushed a "massive" 2014 cybersecurity breach under the rug, keeping investors in the dark for two years about a hack affecting hundreds of millions of its users.
The fine adds teeth to recent SEC guidance on cybersecurity disclosure, experts say (Energywire, Feb. 22).
"Everybody was waiting on the SEC to drop the hammer," said Patrick Miller, managing partner at Archer Energy Solutions. "Anybody that doesn't disclose what could potentially be a market-swinging data breach is going to have similar problems."
Miller said he expects the first-of-its-kind penalty to reverberate among large electricity companies. "They're bound by the SEC like anyone [investor-owned] is, whether they're selling sneakers or electrons."
The Yahoo data breach — really a series of cyber intrusions dating back to at least 2014 — ranks among the largest in history, affecting 3 billion accounts at the former tech giant. Verizon Communications Inc. bought most of Yahoo's assets in 2016, and the remnants of the company became Altaba.
Yahoo executives knew they had lost their "crown jewels" in late 2014, the SEC says, including usernames, email addresses, birthdays and answers to security questions, among other data. But the company kept mum about the crisis, at least publicly, until December 2016. Altaba declined comment on last week's settlement with the SEC, in which it neither confirmed nor denied the breach.
"We do not second-guess good faith exercises of judgment about cyber-incident disclosure," said Steven Peikin, co-director of the SEC Division of Enforcement. "But we have also cautioned that a company's response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case."
Riana Pfefferkorn, cryptography fellow at Stanford Law School's Center for Internet and Society, said the enforcement action could "light a fire" under other public companies to disclose their own cybersecurity incidents, though the case may not help determine where to set the bar for reporting.
"If you're an executive for a publicly traded company, you might be looking at this data saying, 'That was so bad — laughably bad,'" she said. "'How do we know, when we have an incident like this, where that falls on the spectrum of what the SEC's going to decide merits enforcement?'"
Pfefferkorn suggested companies are likely to continue underreporting cybersecurity incidents despite the $35 million settlement. She pointed to several factors weighing against disclosure, from a desire to avoid giving away any information that could be used in future attacks, to pressure from law enforcement who may not want to tip off hackers to an ongoing investigation.
Still, the SEC has cautioned that the presence of an internal or external investigation isn't grounds to avoid sharing general information about a significant incident.
"It's not a get-out-of-reporting-free card," Pfefferkorn said.
She was also skeptical of claims that sharing data about an attack or intrusion could open the door for more malicious activity in the future.
"I understand the desire not to put in too much detail," she said. "But I think there are ways of saying enough to comply, and give meaningful information to your investors, without necessarily giving a road map to attackers."
Life and limb
Major energy companies have drawn a sharp line between a "material" breach and more mundane attempted cyber intrusions, while still opting to disclose the latter to investors.
Entergy Corp. pointed out in an SEC filing earlier this year that it had been subject to scrutiny from hackers (Energywire, Feb. 8).
"While malware was recently discovered on our corporate network and remediated on a timely basis, it did not affect the company's operational systems, nuclear plants or transmission network, nor did it have a material effect on our operations," Entergy said.
Exelon Corp., which owns and operates gas and electric utilities across the U.S., said in a recent filing that the risk of security breaches "continues to intensify."
"While the Registrants have been, and will likely continue to be, subjected to physical and cyber-attacks, to date none has directly experienced a material breach or disruption to its network or information systems or our service operations," the company said, while cautioning that subsidiaries "may be unable to prevent all such attacks in the future."
Michelle Reed, co-leader of Akin Gump Strauss Hauer & Feld LLP's cybersecurity, privacy and data protection practice, said in an email that the harm that can befall energy companies may make them more inclined to disclose their cybersecurity risks.
"Companies should be considering very closely what systems they have in place to identify even the small breaches to make sure that it isn't laying a predicate for a future breach of more devastating consequences," she said.
While Reed said she expects the "trickle of disclosures" to tick up following the Yahoo/Altaba enforcement action, she warned against going overboard with new reporting.
"Companies should be aware of concerns related to burying disclosures: courts have recognized the harm that can be caused to investors by an 'avalanche of trivial information,'" she said.
Electricity companies already face an avalanche of routine threats, the vast majority of which are rebuffed without fanfare, according to recent filings.
Some firms can face "thousands to millions of 'attempts' per day, depending on how an attempt to compromise is defined," said the Edison Electric Institute, which represents major investor-owned utilities, and the National Rural Electric Cooperative Association, in February comments to the Federal Energy Regulatory Commission.
Reporting such a flood of events to any regulator — be it the SEC or FERC, which is weighing expanded reporting rules for bulk power utilities — would be a daunting task, in the industry's telling.
"Much of these attempts are not likely to be malicious attempts, but entities would have to inspect and analyze every packet that attempts to enter their network to filter through all of the rejected noise and 'find the needle in the haystack' based on a determination of a sender's intent," EEI and NRECA said.
But if a malicious attempt slips through a utility's defenses, the effects could be dire.
Tom Finan, client engagement and strategy leader at risk management and insurance firm Willis Towers Watson, said a "material" cyber event in the electric sector could put more than user data at stake.
"Hackers want to go after attractive targets — historically it's been data and money," said Finan, a former Department of Homeland Security cybersecurity official. "But with the trends we've been seeing, there's a lot of interest in meddling with critical infrastructure like oil and natural gas, and the electric sector.
"The consequences there are not only going to be financial and reputational; it's going to affect life and limb, as well," Finan said.
Finan called the SEC penalty move a "wake-up call" for the private sector, suggesting it will spur executives to treat cybersecurity seriously, if they don't already.
"Cyber risk is a business risk that just can't be ignored," he said. "And if it's not treated as a business risk, there are going to be consequences."