Risk Register (Altaba / Yahoo SEC (2018))¶
Purpose¶
This register captures material risks highlighted by Altaba / Yahoo SEC (2018) with severity, impact pathway, mitigation plan, and evidence expectations. It is intended for ongoing governance and audit use so risk acceptance, remediation progress, and accountability remain explicit over time.
Risk Register¶
DISC-CTRL-01 — Incident-to-disclosure control latency¶
- Severity: High
- Description: Delayed routing of confirmed security facts to disclosure decision-makers increases securities exposure.
- Impact: Potential inaccurate or untimely investor communications.
- Mitigation: Formal escalation triggers and joint legal/security disclosure workflow.
- Evidence: Escalation logs, disclosure committee records, timeline attestations.
EVID-LOG-02 — Insufficient retained evidence for reporting decisions¶
- Severity: High
- Description: Gaps in retained logs and incident records weaken support for disclosure judgments.
- Impact: Higher enforcement and litigation vulnerability.
- Mitigation: Retention standards with legal-hold integration for security artifacts.
- Evidence: Retention audits, legal hold records, evidence inventory.
RACI-03 — Cross-functional accountability ambiguity¶
- Severity: Medium
- Description: Unclear ownership between security, legal, and finance can delay critical decisions.
- Impact: Decision lag and inconsistent filings narrative.
- Mitigation: Define and enforce RACI for cyber-disclosure events with rehearsal drills.
- Evidence: RACI matrix, tabletop outputs, governance minutes.
AUDIT-04 — Disclosure-control test exception recurrence¶
- Severity: Medium
- Description: Repeated control testing exceptions indicate process immaturity.
- Impact: Increased audit/regulatory pressure.
- Mitigation: Remediation governance with due dates and executive escalation for aged exceptions.
- Evidence: Control test reports, issue tracker, closure confirmations.
COMMS-05 — Public statement / internal finding mismatch¶
- Severity: Medium
- Description: Differences between internal risk findings and external statements create legal risk.
- Impact: Enforcement narrative risk and trust erosion.
- Mitigation: Pre-publication review gates requiring technical and legal sign-off.
- Evidence: Review approvals, statement archives, issue escalation logs.