April 2017 Issue
Verizon Communications entered into a definitive agreement to acquire the online information platform Yahoo on 25 July 2016 for $4.8bn. The transaction, which has not been completed, excluded cash, shares in Yahoo Japan and Alibaba, Yahoo’s convertible notes, and certain other minority interests and non-core patents. For the money, Verizon is to acquire the operating business of Yahoo, together with the brand and key real estate in Silicon Valley.
In the months that followed the announcement, Yahoo disclosed that it had been the target of two large cyber attacks. The first disclosure was made in September 2016 and revealed that the personal details of 500 million users were stolen, possibly by a state-sponsored hacking group. Yahoo was subject to considerable criticism as to why it had not disclosed that breach before. Then in December 2016, the company admitted that an attack in 2013 had affected more than a billion accounts, although in this instance Yahoo says it did not know how the hackers succeeded. The 2013 attack was brought to Yahoo’s attention by law enforcement agencies. The 2014 attack was first described as having been discovered in August 2016, but Yahoo admitted that some staff knew of the state-sponsored attack shortly after it had taken place.
After the disclosures Verizon quite naturally stated that it believed it had a “reasonable basis” for renegotiating the transaction. Yahoo, however, argued that the revelations have not led to users abandoning the services comprised within the sale package. So, after months of further discussion, it was announced on 21 February 2017 that $350m would be trimmed off the price, taking it down to $4.5bn.
Cyber attacks are not new. In 2012, LinkedIn was hacked and over 117 million account passwords were stolen. Ashley Madison suffered a serious data breach in July 2015 in which more than 30 million unique email addresses were stolen.
These are just a few examples of the different types of cyber security breach. Given the predilection for a single password for multiple accounts, there is obvious value in LinkedIn’s user information. The hackers of Ashley Madison’s database wanted to force the shutdown of the business on the threat of the release of the email addresses. Yahoo drew criticism for its slow response to the 2014 breach, which has the potential to leave users open to hacks and phishing attacks – particularly given that users have only learned of it nearly two years after it actually happened. Countless data breaches are suffered by all, from big business to individuals, and of course not all breaches are reported.
The effect on companies can be severe. In October 2015, TalkTalk was the victim of a well-publicised cyber attack in which almost 157,000 customers’ bank numbers and sort codes were accessed. Although the attack was less successful than originally feared, TalkTalk still lost around 100,000 customers, incurred costs of £42m and pre-tax profit fell by £18m year-on-year. What gives the Yahoo hacks added interest is that they have been announced while in the midst of a sale, and we can see the direct impact on the price to be paid. The cash liabilities arising from the breaches are to be shared equally, but Yahoo will shoulder the burden of shareholder lawsuits and Securities and Exchange Commission (SEC) investigations, which are ongoing. It is well known that Marissa Mayer, Yahoo’s chief executive, was under pressure to conclude a deal but the haircut is perhaps less severe than Yahoo might have expected. Clearly Verizon views the breaches as important, but we might assume that Yahoo’s fundamentals remain in place, notwithstanding the breaches, and this reflects the extent of the impact of the hacks. Nonetheless, $350m is a large figure.
Hackers can gain entry by many methods, including powerful database attacks and by exploiting negligent user practises. Over 40 percent of breaches are from database assaults and 25 percent are due to negligent employees or contractors. The attacks can be morally or politically motivated, as with the World Anti-Doping Agency (WADA) and Ashley Madison attacks. More commonly, the hacks are for financial gain or competitive advantage. According to a UK government report, intellectual property theft is the most damaging form of cyber crime for businesses in the UK. It is noteworthy that cyber security firm Cylance recently completed a Series D funding round at a valuation rumoured to be near $1bn.
It is not just customers and suppliers who will pay attention to cyber security breaches. National regulators keep a keen eye on breaches and they often have powerful sanctions at their disposal. The new EU Data Protection Regulation, set to come into force in 2018, empowers regulators to levy fines of up to 4 percent of turnover, or €20m, as well as other threats and sanctions. Furthermore, the new regulation requires the reporting of cyber breaches.
Potential suitors are watching, too. For companies and their shareholders seeking investment, a sale or an initial public offering, the negative impact of a successful breach could result in downward pressure on valuations, as proven by the Verizon bid. Even for those companies not actively looking for a significant corporate event, a depressed valuation and the impact on cash and forecasts could bring aggressive suitors to the door.
As cyber attacks become more frequent and increasingly newsworthy, the sensitivity of potential purchasers to the risks has increased. Targets must expect greater scrutiny of previous breaches and the processes and policies in place to defend against attacks. It is difficult to control the actions of employees and contractors, or counter the sophistication of state-sponsored bad actors. Attacks will happen and some will succeed. If someone wants to burgle your house, they will. It is up to you to make it as unattractive a proposition as possible and that is reflected in insurance policies. Similarly, companies will not be easily or cheaply forgiven for failing to create and implement reasonable cyber security measures and compliance plans. Conversely, demonstrating that efforts have been made should help reduce the risk of regulator fines and civil action. Having to disclose inadequate policies as part of a due diligence exercise is a potentially damaging action that could be avoided. It is the question of how a business reacts to a data breach which is essential to instil trust and confidence in customers and suitors alike, and not the fact that an attack has occurred.
Despite there being a lack of prescriptive standards to adhere to, some best practice tips promoted both by the UK Information Commissioner’s Office and security services to help reduce cyber security incidents and their impact include the following: (i) the implementation of a risk management programme developed across the organisation; (ii) the appointment of a person or persons responsible for data and cyber compliance; (iii) rolling out updated and enhanced training for all staff; (iv) using reputable anti-virus software relevant to all business areas; (v) insisting that software updates are downloaded upon release; (vi) ensuring all employees use strong or complex passwords; (vii) automatic deletion or quarantining of suspicious emails; and (viii) being ready to quickly and effectively respond to reports of a breach.
This is an excellent starting point for identifying likely areas of vulnerability which malicious hackers will seek to exploit. For both acquirers and targets, this also helps provide an insight as to the topics that should be investigated as part of a due diligence process. Of course, the next step is to have sufficient expertise available to assess the commercial and legal strength of the responses. You could also add deploying an effective PR strategy to the list of useful tips.
With the ever-expanding amount of non-physical, commercially sensitive information being stored virtually, the importance of cyber security will only increase. All companies must ensure a robust security strategy is in place for the sake of their own day-to-day activities and at least preserving company value. Nothing brings the strength of these systems into sharper focus than an attack or the probing questions of a sophisticated CTO, technology expert or lawyer as part of an audit or due diligence process.
Sam Pearse is a partner at Pillsbury. He can be contacted on +44 (0)20 7847 9597 or by email: samuel.pearse@pillsburylaw.com.
© Financier Worldwide
BY
Sam Pearse
Pillsbury