Wednesday was a bad day for Facebook.

In addition to the groundbreaking $5 billion settlement it reached Wednesday with the Federal Trade Commission and Department of Justice, the social media giant also reached a $100 million settlement with the Securities and Exchange Commission for making misleading disclosures regarding the risk of misuse of Facebook user data.

For more than two years, Facebook’s public disclosures presented the risk of misuse of user data as “merely hypothetical” when it knew a third-party developer had misused its user data, the SEC alleges. Facebook did not admit or deny this claim.

The broader compliance message here: “Public companies must identify and consider the material risks to their business and have procedures designed to make disclosures that are accurate in all material respects, including not continuing to describe a risk as hypothetical when it has, in fact, happened,” the SEC said.

According to the SEC’s complaint, in 2014 and 2015, the now-defunct advertising and data analytics company Cambridge Analytica paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook to create personality scores for approximately 30 million Americans. In addition to the personality scores, the researcher, in violation of Facebook’s policies, also transferred to Cambridge Analytica the underlying Facebook user data, including names, genders, locations, birthdays, and “page likes.” Cambridge Analytica used this information in connection with its political advertising activities.

The SEC’s complaint alleges Facebook discovered the misuse of its users’ information in 2015 but did not correct its existing disclosure. Instead, Facebook continued to tell investors that “our users’ data may be improperly accessed, used or disclosed” (emphasis added). According to the SEC, Facebook reinforced this false impression when it told news reporters who were investigating Cambridge Analytica’s use of its user data that it had discovered no evidence of wrongdoing.

When the company finally did disclose the incident in March 2018, its stock price dropped.

The complaint further alleges that during this two-year period, Facebook had no specific policies or procedures in place to assess the results of its investigation for the purposes of making accurate disclosures in Facebook’s public filings.

“Public companies must accurately describe the material risks to their business,” said Stephanie Avakian, co-director of the SEC’s Enforcement Division. “As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks.”