Verizon CEO Lowell McAdam said he is investigating the material impact the breach at Yahoo might have on his company's acquisition bid.
Verizon CEO Lowell McAdam said he is investigating the material impact the breach at Yahoo might have on his company's acquisition bid.

The CEO of Verizon said on Monday that the telecommunications giant is still on track to acquire Yahoo. However, he added, owing to a recent massive breach the terms of the deal could be renegotiated, according to the Wall Street Journal.

Speaking at the Internet Association's Virtuous Circle tech conference in Menlo Park, Calif., Lowell McAdam, the chairman and chief executive officer of Verizon Communications, said he still regards Yahoo as “a real value asset.” However, he expressed concern over the negative news the internet giant has recently drawn.

“In fairness, we are still understanding what was going on and defining whether it was a material impact on the business or not,” McAdam said. The original agreement set a $4.8 billion valuation. Last week, the New York Post reported that Verizon was looking to slice $1 billion off the deal.

While McAdam seemed to regard the hack as the price of doing business, evoking the "it's not if but when" meme, he told the audience that the merger still "makes a ton of sense."

The investigation into the hack is incomplete, McAdam said, adding praise for the Yahoo team for what he termed their "capability."

He predicted that the deal will close between December and February, although regulators might hold up completion of the merger. “Our view is we want to get this behind us as quick as we can and move on,” McAdam said.

Cybersecurity experts told SCMagazine.com they were not surprised that Verizon has asked Yahoo for a $1 billion price reduction, given Yahoo's recent data breach discovery and reports that the company complied with government intelligence services to spy on users' emails in search of terrorist activity.

“I would be very upset with the corporate leadership of Verizon for not doing their due diligence on Yahoo," Philip Lieberman, president and CEO of Lieberman Software, told SCMagazine.com on Tuesday. "Given that Verizon has their own security practice, they should have found the vulnerabilities themselves. The disclosure of this material issue is required by Yahoo, but was not done, so I would say any sort of haircut for Yahoo would be appropriate."

In fact, Lieberman calls for a clean sweep of Yahoo's C-suite for its incompetence and fraud. He suggested that it also waive exit payments due to potential malfeasance. "Verizon has some explaining to do as to why their own security team and corporate due diligence team did not pick this up themselves before public disclosure,” he said.

Lieberman's colleague, Jonathan Sander, vice president of product strategy at Lieberman Software, pointed out that the fact that the negative news could wipe out $1 billion from the proposed deal. “Information security used to be a pest biting corporate ankles and is now the wolf at the front door," he said.

Referencing the breach at Target, Sander pointed out that the incident resulted in several executives departing for their poor management security (the incident cost the retail chain $252 million). "And now Yahoo will lose a billion dollars thanks to a breach in the headlines," he said. "The old adage among the pros was that security was always an afterthought. Organizations let IT operations rule the roost since all the risk and cost was involved with uptime. Now it's clear that you can run with 99.999 percent availability and still lose the business a lot of money and reputation.”

Other experts pointed to the impact the news will have on brand trust and the consequences of inadequate security. “This is one of the very first times that a cost is directly associated to a hack," said Julien Bellanger, co-founder and CEO at Prevoty. "Breaches have an immediate cost related to incidence response and forensic, but it is minimal compared to the long terms costs related to brand trust and organizational security restructuring costs. It seems that Verizon understands that and is pricing the long term cost of the Yahoo hack at what should be a wake-up call for enterprises underinvesting in security."

Kunal Anand, co-founder and CTO of Prevoty, agreed that the prospect of renegotiating the merger makes sense. As an acquirer, Verizon is assuming a lot of risk, he told SCMagazine.com. "Given Yahoo's track record, there is a high probability that there are other application vulnerabilities and open attack vectors." Verizon, Anand said, will have to spend time, resources and money to do deep security reviews and assessments of Yahoo's codebase. "The discount not only accounts for their breaches and email tapping but is likely related to paying off more application security debt.”

Michael Lipinski, CISO and chief security strategist at Securonix, told SCMagazine.com that he is not at all surprised at the news. “The lawsuits alone against Yahoo may be substantial. Additionally, there is the unknown risk associated with what Yahoo may need to do or be ordered to do for the 500 million identities they lost."

 If Yahoo is ordered to provide a year of credit monitoring service to each of those customers (and the number, according to some reports, could be much higher), that number could reach $50 billion, 10 times what Verizon has offered to initially pay, Lipinski added. "I'm sure Verizon is using these current issues to negotiate, why wouldn't they."

It's possible, he added, that the Yahoo value will fall even more than the $1 billion number reported last week. "With the substantial financial risk overshadowing Yahoo and lack of another suitor stepping up with a competitive offer, I would anticipate Verizon getting even more aggressive with the negotiations.”

But John Gunn, vice president at VASCO Data Security, argued that whether the discount to Yahoo's value is more or less than $1 billion isn't the issue, bolstering implementation of security should be the priority, particularly in multifactor authentication. "This demonstrates firsthand the significant destruction of value that can result from a massive breach," he told SCMagazine.com. Businesses, he pointed out, make decisions based on simple economics using a cost-benefit analysis. "In this instance, the cost is investing in better IT security and the benefit is the avoidance of a huge loss in enterprise value. Putting a real dollar value on the damages from a breach should spur additional investment in IT security, especially in key areas of new technology such as multifactor authentication.”