The purchase had been delayed owing to fallout from two massive data breaches.
The purchase had been delayed owing to fallout from two massive data breaches.

Verizon and Yahoo announced on Tuesday that they have agreed Verizon will pay $4.48 billion in cash to acquire Yahoo's operating business.

The cost includes an agreement to slash the original projected cost by $350 million, as well as the assumption of "certain legal and regulatory liabilities arising from certain data breaches incurred by Yahoo," according to a statement from Yahoo.

The acquisition had been delayed following news that Yahoo suffered two massive breaches in 2013 and 2014 that resulted in the compromise of more than a billion user acounts.

Under the amended agreement, Yahoo and Verizon will split the cash liabilities resulting from government probes (excluding any from the Securities and Exchange Commission) and third-party litigation related to the breaches. "Liabilities arising from shareholder lawsuits and SEC investigations will continue to be the responsibility of Yahoo," the statement added.

"We have always believed this acquisition makes strategic sense," Marni Walden, Verizon executive vice president and president of product innovation and new businesses, said. "We look forward to moving ahead expeditiously so that we can quickly welcome Yahoo's tremendous talent and assets into our expanding portfolio in the digital advertising space."

The amended terms provide a fair and favorable outcome for shareholders, Walden added. "It provides protections for both sides and delivers a clear path to close the transaction in the second quarter."

Verizon's purchase of Yahoo's internet operations – currently valued at $4.48 billion in cash, subject to closing adjustments – is projected to close in the second quarter of 2017.

“In the age of cyberespionage, businesses need more than security solutions to protect their customers,"  Gunter Ollmann, CSO of Vectra Networks, told SC Media on Tuesday. "As seen in the case of Yahoo!, businesses that lack transparency and willingness to discuss security matters in an honest and open way will see significant impact on the bottom line, and along with it their market value and reputation."

This highlights that security is a strategic issue and needs to be included as part of any M&A due diligence, Ollmann said. "Likewise, cyberattacks offer the opportunity for motivated external parties to damage M&A target organization's reputation and thus market value."

However, transparency when disclosing a breach is a tricky decision for organizations of any size, Ollmann explained. "There is no easy answer to the debate over breach disclosure because there is yet to be an accepted definition of what qualifies as a breach. Since every large organization is continually a victim of malware and insider attacks, what is the threshold before public notification is necessary?"

It's generally accepted that there is a need to alert the public if customer records have been accessed by an attacker – however, if the records are encrypted and the attacker was unable to derive any PII, then there is no legal requirement to make customers aware, Ollmann said. However, he pointed out, the upcoming EU GDPR and its requirement for appropriate security controls, breach notification and punitive sanctions for non-compliance will be a driver of increased transparency, and hopefully improved security posture.

"There is another assumption that if the breached organization is sufficiently instrumented that they can not only detect a breach, but that they're able to track the attacker's activities and enumerate precisely what data they had access to," Ollmann said.

The challenge, he added, is that most organizations aren't sophisticated enough to identify this level of threat activity. "If you can't detect it, how can you prove you were breached? In fact, gaining real-time visibility into hidden attacks can enable an organization to spot the pre-cursor behaviors of breach and foil the attack earlier in its lifecycle and avoiding a reportable data breach."

Yet, he said, time and time again, we see that failure to disclose a breach – whether it's a conscious decision or not – has its consequences. "Ultimately, consumers are the real victims in the event of a cyber hack. They will happily move onto another service provider that shows a responsibility towards protecting their data."