The Gap Between Knowing and Telling: What the Yahoo Breach Teaches About Disclosure Controls
The SEC didn't fine Yahoo for being breached. They fined Yahoo for knowing and not telling.
This week’s episode covers the Yahoo breaches — the 2013 and 2014 intrusions that ultimately exposed every account Yahoo held, the FSB-directed operation that carried them out, and the SEC enforcement action that followed.
The episode itself traces the full technical chain: spear phishing, lateral movement, the User Database, forged authentication cookies. But the part I want to expand on here is the piece the SEC actually prosecuted — the disclosure gap.
What are disclosure controls?
The term sounds bureaucratic, and it is. Disclosure controls are the internal processes that connect the people who know something to the people who decide whether to tell the public. In a public company, these controls are a legal obligation under Sarbanes-Oxley. They exist specifically to prevent a situation where material information sits in one department while the company continues filing financial statements as if nothing has happened.
At Yahoo, the security team learned about the 2014 breach within days. The information then entered a chain of management reviews, legal assessments, and risk evaluations. Somewhere in that chain, it stopped. For nearly two years.
The SEC’s enforcement order didn’t charge Yahoo with being breached. It charged Yahoo with failing to maintain controls adequate to ensure the breach information was “properly assessed for potential disclosure.” The distinction matters: the breach was the attacker’s responsibility. The silence was Yahoo’s.
Why this matters beyond Yahoo
Before this enforcement action, the regulatory consequence for a breach was primarily about remediation — notify affected users, offer credit monitoring, pay for forensic investigation. The SEC added a new dimension: if you knew and didn’t tell investors, that’s a securities violation independent of the breach itself.
The 2018 SEC interpretive guidance that followed codified this. Public companies now have an explicit obligation to maintain processes for evaluating cybersecurity incidents for potential disclosure. The guidance doesn’t prescribe what those processes must look like. It says they must exist, and they must work.
The question worth asking
The episode ends with a question: if your organisation discovered a breach tomorrow, how many handoffs would it take before that information reached someone authorised to tell the public?
Map it. Count the steps. Identify where a finding could sit for weeks without escalation. That gap — between knowing and telling — is the thing the SEC decided it could measure and penalise. It’s worth measuring before a regulator does it for you.
Watch the full episode on YouTube. The technical breakdown is available at zerodaylogs.com.
