M&A Due Diligence, Cyber Security, and the Massive Yahoo Data Breach
Verizon, which announced plans to acquire Yahoo two months ago, says it only learned of the breach last week.
Yahoo! Inc. recently announced that at least 500 million users' names, email addresses, phone numbers, birthdates, hashed passwords, and in some cases encrypted or unencrypted security questions and answers were stolen from the company's network in late 2014 in what it believes was a state-sponsored attack.
The breach, which was uncovered only recently, comes just two months after Verizon announced plans to acquire Yahoo for $4.83 billion in cash. The deal is expected to close in Q1 of 2017.
In a statement provided to CNNMoney, a Verizon spokesperson said the company only learned of the breach last week. "We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," the spokesperson said.
"Given Yahoo's pending acquisition by Verizon, this provides yet another example of why monitoring the cyber security posture of a merger/acquisition target is such a critical element throughout the diligence process," BitSight Technologies vice president of business development Jacob Olcott told eSecurity Planet by email.
And Centrify senior director of products and marketing Corey Williams said by email that Yahoo may well be facing an existential crisis as a result.
"Already besieged by business execution issues and enduring a fire sale to Verizon, this may be the straw that breaks the camel's back," Williams said. "Since this breach occurred in 2014, wasn’t properly communicated or handled, it may very well give Verizon an 'out' or a reason to renegotiate."
A recent survey of senior executives at corporations and private equity firms that frequently conduct M&A transactions found that fully 80 percent of respondents said cyber security issues have become a highly important part of the M&A due diligence process, and 77 percent said the importance of cyber security at M&A targets had increased significantly over the past two years.
The survey, commissioned by West Monroe Partners and conducted by Mergermarket, also found that 47 percent of respondents said the information gleaned in the cyber security diligence process is generally used to plan for fixes to uncovered problems. Thirty-three percent said it's used to decide whether to go through with the deal, and 20 percent said it's generally used to negotiate down the purchase price or other deal terms.
"In the last 18 to 24 months, we have really started to see the importance of cyber security resonate with our clients," West Monroe Partners managing director Matt Sondag said in a statement. "When a data breach lands on the front page of CNN.com or The Wall Street Journal, companies start to pay closer attention to the issue."
When asked what their top concerns are regarding cyber security issues at target firms, respondents listed the cost of correcting existing problems (50 percent), potential complications for post-merger integration (43 percent), the occurrence of frequent or recent data breaches (37 percent), threats to customer data (37 percent), and threats to business data (33 percent).
And when asked to list the most common types of cybersecurity problems uncovered during due diligence, respondents listed compliance problems (70 percent), a lack of a comprehensive data security architecture (40 percent), vulnerability to insider threats (37 percent), inadequate security on mobile devices (33 percent), vulnerable local server storage (30 percent), and a lack of a data security team (27 percent).
Seventy-seven percent of respondents said they had walked away from a deal due to data security issues at the target, and 40 percent of acquirers said they had discovered a cyber security problem at an acquisition after a deal went through.
"Mergers are complicated endeavors, and the scrutiny under which both companies will reside during the course of the transaction only increases the stress to keep what should be sensitive information protected," SailPoint president and co-founder Kevin Cunningham said by email.
"Verizon certainly took on a calculated level of risk in acquiring Yahoo, particularly because of its massive user base," Cunningham added. "The question of whether this breach will affect the sale price depends on how extensively it performed due diligence on Yahoo’s security controls."
Photo courtesy of Shutterstock.