Yahoo / Verizon: A $1B Data Breach Discount?

Bob Post, Senior Practice Director, Cyber Risk Advisory, Coalfire

In July of this year Verizon announced it was going to buy Yahoo for $4.8B.  A few weeks later, Yahoo starts investigating a potential data breach of around 200 million records that were for sale on the Dark Web.  In mid-September, Yahoo discloses that sometime in 2014, they were attacked and roughly 500 million user accounts were compromised.  A couple of days later, Verizon says this is the first they’ve heard of this and that event may have a “material impact” on the purchase deal.  By October news reports circulate that Verizon may ask for a $1B discount off the purchase price.

That $1B discount equates to nearly 20% of the original offer.  Could it be that cyber risk wasn’t adequately considered by those putting the deal together?.

Maybe the deal will go through.  Maybe it won’t.  I’m sure each side’s lawyers and financial advisors are going back and forth.  That will certainly run up the transaction costs.  Even after the public relations teams put a happy spin on the outcome, the incident cost time and money beyond the actual affect the breach had on end users.  So how do you prevent something like this from happening?  Include cyber risk as part of the due diligence and do it early.

For the buyer side, have your cybersecurity experts take a hard look at how the target company approaches identifying and securing the “crown jewels”.    Questions to ask include:  How often does the Board and Executive Leadership Team discuss cyber risk?  Who is responsible for cybersecurity?  Where are they placed in the organization?  Do they have sufficient resources to accomplish their task?  Have they identified their critical assets and what measures have they taken to protect them?  How do they monitor their networks and assets to detect possible malicious activity? 

On the seller side, the time to address these issues is well before you decide to put yourself on the market.  You should know what drives value in your company and take measures to protect that value.  You should understand the cyber risk as much as you do the financial and market risks.  After all, if an incident cost you 20% of your company’s value, that’s a serious agenda item for the Board.

Bob Post


Bob Post — Senior Practice Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS