The Securities and Exchange Commission announced an unprecedented $35 million cybersecurity penalty last week against Altaba Inc., putting other publicly traded companies on notice.

The financial regulator claimed Altaba, formerly known as Yahoo Inc., brushed a “massive” 2014 cybersecurity breach under the rug, keeping investors in the dark for two years about a hack affecting hundreds of millions of its users.

…

Riana Pfefferkorn, cryptography fellow at Stanford Law School’s Center for Internet and Society, said the enforcement action could “light a fire” under other public companies to disclose their own cybersecurity incidents, though the case may not help determine where to set the bar for reporting.

“If you’re an executive for a publicly traded company, you might be looking at this data saying, ‘That was so bad — laughably bad,'” she said. “‘How do we know, when we have an incident like this, where that falls on the spectrum of what the SEC’s going to decide merits enforcement?'”

Pfefferkorn suggested companies are likely to continue underreporting cybersecurity incidents despite the $35 million settlement. She pointed to several factors weighing against disclosure, from a desire to avoid giving away any information that could be used in future attacks, to pressure from law enforcement who may not want to tip off hackers to an ongoing investigation.

…

“It’s not a get-out-of-reporting-free card,” Pfefferkorn said.

She was also skeptical of claims that sharing data about an attack or intrusion could open the door for more malicious activity in the future.

“I understand the desire not to put in too much detail,” she said. “But I think there are ways of saying enough to comply, and give meaningful information to your investors, without necessarily giving a road map to attackers.”

Read More