Verizon Communications announced its intention to acquire Yahoo for $4.83 billion July 2016. In striking this deal, Verizon sought to strengthen its position in the digital advertising and media markets that it operated in under its subsidiary, AOL Inc. Those hopes were dashed in September when Yahoo announced that a large-scale data breach had occurred in late 2014, impacting approximately 500 million users.
To make matters worse, just three months later, Yahoo announced that another data breach, allegedly performed by the same “state-sponsored actor,” affected around 1 billion users in August 2013. These announcements nearly terminated the Yahoo acquisition, but the real lesson of the data breach is for the merger advisers who could have been found liable for failing to investigate and disclose cybersecurity threats.
This data breach came as a shock to many Yahoo users who had entrusted confidential information to Yahoo in the form of unencrypted security question responses, alternative email accounts and more. Following the breach, many Yahoo users went to great lengths to modify their passwords and security question responses on both their Yahoo account and their other online services to mitigate the impact of the breach on their online presence.
If this data breach was bad news for Yahoo’s users, then it was worse news for Yahoo, Verizon and the advisers on both sides of the acquisition. The acquisition was originally expected to close in first quarter 2017, but Verizon has largely been silent about the deal since news broke about the data breach.
Confidential sources to Bloomberg have confirmed that Verizon is biding its time to assess the damage that has been done to Yahoo’s financials because of the breach. After Verizon finishes their assessment, they will likely renegotiate pricing and terms or pull out of the deal entirely.
Per AOL CEO Tim Armstrong, who is leading the acquisition for Verizon, the public can expect official word from Verizon on whether they will move forward with the deal in the first half of 2017.
Although market analysts are optimistic that the deal will be finalized this year, Yahoo’s breach tells a cautionary tale that should be heard by firms, banks and investors: Cyber security is critically important. Wall Street banks and large corporations are no strangers to the threat of cyber criminals, but the Yahoo breach has raised the stakes for advisers and underwriters. The Securities Act of 1933 sets forth a set of hefty criminal and civil penalties for material misstatements or omissions on the part of attorneys, accountants, directors, underwriters and other signers on the registration statements involved in the transaction. Reasonably, failure to communicate the firm’s cyber security risk could constitute as a material omission of fact.
Importantly, as external parties, underwriters and advisers have a liability “out” in the form of the due diligence exemption. The exemption states, if the implicated underwriter or adviser can demonstrate that they made reasonable investigation into the correctness and completeness of the information presented, they can protect themselves from civil and criminal liability.
In the face of a changing cyber security landscape, banks that advise and underwrite transactions may begin to recruit cyber security firms to conduct cyber risk assessments for their clients to avoid liability.
Advisers and underwriters can instigate cyber risk assessments to limit their liability by obtaining essential information about the firm’s data, security and management. This information includes software configurations, user management procedures, monitoring techniques and incident response protocols. With this information, cyber security firms can assess the risk to sensitive data stored on company networks.
Fortunately for the advisers to the Yahoo acquisition, news of the data breach surfaced before the deal was finalized. If the news had broken after the deal had been finalized, the advisers could be on the hook for damages.
Moving forward, however, advisers and underwriters cannot count on being so fortunate. To manage modern cyber threats, underwriters and advisers need to contract with cyber security firms to conduct due diligence and cover their own liability. Due diligence may or may not save the deal, but it will save the firm.