Corporate boardrooms have much to learn from Yahoo’s historic security failure
by Amjed Saffarini, CEO, CyberVista
News of the Yahoo (Yahoo! Inc. – YHOO) data breach affecting at least 500 million accounts comes on the heels of an announcement in late July that Verizon would acquire the company in a deal worth $4.8 Billion. While basic details of the breach are coming to light, the unprecedented number of people affected and the impending sale to Verizon complicates the true impact of this breach. What’s more embarrassing is that the adversary has had access to these accounts since 2014, casting a shadow on Yahoo’s security program and security leadership culture as well as the due diligence completed by Verizon.
These complications present challenges for the boardrooms at both Yahoo and Verizon, who will have to contend with calls that both boards could have done more to mitigate cybersecurity risks in running their business (for Yahoo) and conduct their acquisition diligence (for Verizon).
The breach beyond Yahoo.com emails
Yahoo’s back end email-as-a-service infrastructure is used for the well-known @Yahoo.com mail service, but millions of unsuspecting users around the world are affected through use of other Yahoo properties. Those who regularly use Yahoo Finance or the popular Yahoo Fantasy Sports (or any Yahoo app for that matter) will likely have a Yahoo account affected by the security breach. Yahoo mail also powers accounts provided to users of other service providers, such as emails used by customers of AT&T, Rogers, Frontier, Verizon and many other Internet service providers (ISPs). Many small and medium businesses also use Yahoo mail to power their email systems, including law firms with personalized domains who now have to determine if confidential client data was compromised.
Unencrypted security questions and answers are often reused across all type of high security sites like banking, health and other protected services. The questions, which include maiden names, pets, favorite teachers, are especially problematic when combined with the email account breach. Most website accounts on the internet can be hijacked by having access to the backup email and security answers, which now seem to have been simultaneously compromised.
Marissa’s collect call to Verizon
Verizon found out about the breach through a phone call from Yahoo CEO Marissa Mayer only two days before the public announcement. Initial claims of 200 million stolen records dating back to June of this year were found by Yahoo to be unsubstantiated, but a deep investigation followed in July and eventually unfurled this much larger, longer lasting security intrusion going back to 2014.
Verizon sources shared that Verizon was never told of any such investigations or breaches by Mayer and her team prior to signing the purchase agreement on July 23. Other bidders for Yahoo during the auction process also corroborated this and were not told about these breach investigations. However, internal Yahoo sources have indicated that Marissa Mayer and her executive team knew about and even closely managed the incident response to the initial breach while the merger negotiations were taking place in July.
These allegations stack up to big problems for the merger, the two boards, and both sets of executives. Challenges will likely come from federal, state and international regulators. Consumer class action lawsuits are already filed, with likely similar ones coming by shareholders if the allegations prove true. Most importantly, the allegations betray the Yahoo executive team’s lack of security-driven culture; which permeates from the top down into the rest of the organization.
Regulators will want to reconcile disclosures made on the September 9 proxy filings of the Verizon-Yahoo purchase agreement to determine when Mayer, her team, their advisors, and the board knew about these breach investigations.
In the September 9 filing, Yahoo represented that “there have not been any incidents of, or third party claims alleging, a security breach that could have a material adverse effect on the business”. In addition, the filing states that Yahoo “has not received a notice of any claims or investigations with respect to personal data possessed by Yahoo that could have a business material adverse effect”.
If Mayer knew about and managed these investigations all along, then what valid rationale did she and her team have to withhold this information from their buyers during the due diligence discussions? It would be difficult to imagine a buyer taking the position that this massive breach investigation information is irrelevant to their bid or risk appetite to acquire the business.
Questions will also surface as to when or whether the board was notified and what part it had in deciding when to publicly disclose the breach. Issues of disclosures are not clear cut. Boards and executives often have to decide between contradictory instructions for when to disclose that take into account business cycles, availability of information, and relevant laws.
As part of the same SEC proxy filing in the Annex where Yahoo describes the ‘Fund’ that remains after selling the core business, Yahoo expresses risks and what it believed to constitute business materiality as it relates to cyber incidents:
“Any compromise of Alibaba’s or Yahoo Japan’s online security or misappropriation of proprietary information could have a material adverse effect on the Fund’s investments. To the extent that Alibaba’s or Yahoo Japan’s activities involve the storage and transmission of proprietary information, security breaches could damage Alibaba’s or Yahoo Japan’s reputation and expose them to a risk of loss and/or litigation which might adversely impact the Fund’s investment performance.”
Yahoo describes in no uncertain terms what happened to its core business as the actual definition of material adverse effect used later in its statement.
Cyber implications for the boardroom – M&A
The primary fiduciary duty of a board is to protect the organization’s assets and represent and safeguard shareholder investment. This is especially true during acquisition discussions when many incentives start to align for many of the parties involved, but may potentially conflict with those of the shareholder. Executives typically have big pay days attached to their retention or separation agreements, counsel, advisors, banks and the market have a lot to gain as well from expedient mergers. Proper diligence and vigilance to the duty, however, calls for taking the right amount of time to uncover systemic weaknesses in the assets being acquired including comprehensive cyber diligence.
Verizon is acquiring Yahoo because of its ability to engage users with its content (and thus advertising). Whether for sports, finance or the typical mail client, the most valuable eyeballs are coming from registered Yahoo users- the same group most affected by this breach. Whatever the value attributed to Yahoo last week, it is certain to be lower after this breach announcement.
Verizon’s initial bid for Yahoo was more than $1B lower than its final bid. It also required Yahoo to indemnify Verizon for breach of representations an
d warranties; which included a warranty that no security incident has taken place or was known about. Verizon’s second draft bid (and through final) removed this indemnification requirement. The Yahoo board prioritized Verizon’s bid precisely because it eventually removed an indemnification requirement against liabilities of the company pre-closing.
On the Yahoo side, it is now becoming clear that Yahoo executives actively de-prioritized cybersecurity spending compared to other email providers like google after both were hacked in 2010. While google has taken very active mitigations that make that priority clear in the last 6 years, Yahoo is now facing a chorus of ex- and current security employees that are admonishing the company for years of neglect in securing customer data, and the tales to tell publicly and in testimony.
The Verizon board’s top 3 cyber diligence list:
1. What is the likely fallout? Based on the fallout on the Yahoo data breach and its limitation, Verizon may ask to modify the price. Similar breaches at Target, Ashley Madison, and Adobe have cost anywhere from $100 million to more than $1 billion covering only modest notification and remediation fees.
2. Protections and Guarantees. What additional protections and guarantees would be needed to limit the reputational, operational, and financial risks of this breach? At minimum it is likely that the indemnification clause will make its way back into contract.
3. What cyber risk mitigations will be enacted to protect the core business from the cyber-toxic asset during transition? Once the merger closes, Verizon will be assuming all of Yahoo’s breach liabilities on the first day even without a technical integration. Verizon will need to effectively quarantine the Yahoo business to avoid any cross-contamination until they are certain the risks are better mitigated, even if the known liabilities are dealt with pre-closing.
The Yahoo board’s top 3 cyber diligence list:
In April of this year Starboard capital was successful in installing four new directors to Yahoo’s board. Here are some things that the four of them and the incumbent board can do to mitigate the effect of the current breach, especially in light of their inexperience on Yahoo’s board:
1. Meet with the Audit Committee. Get a standing meeting in place with the audit committee’s members or other specially formed sub-committee. The strategic review committee met every day during the sale process when value creation was the opportunity. This committee should meet daily to get updates on the breach remediation and ongoing stakeholder issues to mitigate value destruction.
2. Get ahead of the problems with stakeholder mappings. Who are the stakeholders and what is the impact to them? The board needs to be more hands-on in a crisis, especially in negotiating with high stakes partners, customers, and vendors.
3. Identify the company’s crown jewels – the most valuable assets of the organization. Though this is a step best done well in advance of an incident, it’s better to do it now than not at all. Identifying the crown jewels helps over-emphasize the emergency response focus to those assets. For example, if customer engagement is key, then making customers feel safe quickly may involve creating more robust 2 factor authentication apps.
New York State announced last week draft corporate cybersecurity protection rules that would go into effect in mid-2017 for financial institutions. New York’s rules require the full board to be involved in a company’s cybersecurity plan, to meet certain control and assessment minimums quarterly and annually, and to conduct rigorous cyber training for employees from the lowest levels up to the board room. Furthermore, it requires companies to install two factor authentication on their critical systems within the next 3 years.
The appetite for such rule making will grow as self-governance debacles continue to grow in scale and frequency. One can’t help but imagine that the Yahoo breach would have been remediated, or at least discovered sooner, had some of these controls been in place.