While the tech world was left spinning in late 2016 when it was discovered that Yahoo suffered a massive breach, Verizon stayed calm.
In the 72 hours immediately following the disclosure, the telecommunications giant — which was moving to acquire Yahoo — made no snap judgments or assumptions, said Craig Silliman, Verizon’s executive vice president for public policy and general counsel.
After Verizon aligned its strategic interests with Yahoo’s, the first question Silliman asked was about “the effect on the reason [Verizon] was buying this asset in the first place,” he said.
“We bought Yahoo for user and user engagement,” he said Wednesday at the Wall Street Journal’s Cybersecurity Executive Forum in New York. “So when you have a breach on the user, how that company reacts is important.”
Silliman said he spent countless hours talking to C-suite level executives from both Verizon and Yahoo in the wake of the breach. During and after these calls, he focused on determining if the breach represented a materially adverse condition, one of two conditions (the other being fraudulent inducement) that could justify a change in negotiations. As of October 2017, the breaches had affected more than 3 billion accounts.
As Yahoo’s cybersecurity, legal and business teams focused their attention on an operational response, Verizon took time to assess the deal’s new risks and rewards, Silliman said.
And as the breach became public knowledge, Verizon was inundated with recommendations and presumptions that it would lower its price offering for Yahoo in order to cover liability costs. Eventually, $350 million was knocked off the acquisition price.
However, Silliman said that $350 million figure was erroneously analyzed by the press.
“Numbers thrown around have various uses,” he said, noting that his team instead focused on the possible implications of changing the purchase agreement, including any impact on the acquired Yahoo employee base, concerns from the investor base, and both short and long-term consequences from Verizon’s public response.
“In a negotiation, you can play the cards however you want, but you have to know what the cards are,” he said, adding that trashing an asset one’s acquiring usually isn’t a great idea.
According to the live audience poll taken during Silliman’s panel, these types of card-playing strategies certainly influenced cyber risk’s role in mergers and acquisitions.
Silliman elaborated that the negotiation around the valuation points to a larger trend in the cyber insurance industry, which was prompted by more than just the widely broadcasted Verizon-Yahoo deal.
“We started seeing people talk about things like cyber indexing and look at companies’ overall risk profiles,” he told CyberScoop, in response to a question about Verizon’s precedent in determining cyber risk and valuation. “The insurance industry has certainly shaped how companies deal with cyber risk because they have so much back and forth with those companies.”
He added that Yahoo not having cyber insurance was ‘”definitely a factor” in the deal and represents a clear “lessons learned” about the importance of possessing such a policy.
Even as Verizon struggled to value the breach’s ultimate impact, however, the company also took a step back to analyze what additional breaches liability concerns could come from hacks that hadn’t yet been disclosed.
“After the second breach, we needed to be careful not to catch a falling knife, if there was going to be a third of fourth shoe dropped,” Silliman said. .