Yahoo/Verizon Deal

Lessons Learned

• A target's cybersecurity practices and monitoring should be carefully assessed, especially when its relies heavily on the collection, use and storage of personal data. Yahoo's lack of emphasis on uncovering, responding to and disclosing security incidents demonstrates how even established companies can fall short in addressing data security responsibilities (and also how customary due diligence can fail to uncover theses critical shortfalls).
• The board's involvement and understanding of the company's data security protocols and recent incidents can serve as a litmus test of a company's cybersecurity risk. Buyers must understand that cybersecurity issues are not IT issues, they are core business issues that the board and C-level management must treat seriously or suffer operational consequences.
• Relatedly, a buyer must diligence the company's internal cyberawareness and communication practices, and ensure that employees report data security incidents “up the chain,” including to the board. Yahoo's blunders during the Verizon deal could have been avoided had its legal and IT teams properly reported the 2014 Security Incident when they discovered it, and buyers should smoke out any risk that the seller may have similar reporting breakdowns.
• Cybersecurity diligence should be conducted early, as many companies may be reluctant to disclose such issues (or may not be aware of them). Moreover, cybersecurity weaknesses may not be readily apparent.

Cybersecurity Diligence Priorities

• What types of digital assets does the company collect, use, transmit and store?
• Does the target take appropriate measures to collect only the minimum sensitive data it needs and protect data in storage and transit? “Appropriateness” depends on the value of data and its importance to the company's business. Appropriate measures include an established cybersecurity policy, employee education, awareness and training, appointment of an individual accountable for cybersecurity, regular reporting (including to management by the board's audit committee), and access controls such as encryption. Policies should be updated annually.
• Does the company have a sufficient plan to uncover and respond to security breaches (e.g., an “incident response plan”) and have a person designated to take responsibility for them? Has the company tested its plan through a tabletop exercise?
• Has the company experienced data security incidents in the past? If so, were vulnerabilities remediated?
• Does the company conduct regular assessments of cybersecurity weaknesses and is it committed to making cybersecurity a priority, even at the management and board level? Are such assessments conducted using a third-party, objective process?
• Does the target take appropriate steps to comply with its legal cybersecurity obligations (e.g., state statutes and national regulations, such as the GDPR) or industry-imposed standards (e.g., health care, financial services)?
• Has the company notified governmental agencies about any cyberincidents (such as letters to state attorneys general or the filing of suspicious activity reports with the Financial Crimes Enforcement Network)? Does the company's policy contemplate providing such notices?
• Does the company share sensitive data with third parties, such as cloud vendors? If so, has the target included language for third party cybersecurity compliance in contracts?

Closing Points