Cybersecurity Diligence Issues in Verizon-Yahoo Merger

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Aug. 19 — The $4.83 billion deal for Verizon Communications Inc. to acquire Yahoo! Inc. will create one of the largest technology companies in the world. But the new mega-brand and other merging tech companies may come crumbling down if they aren't diligent in finding and patching cybersecurity deficiencies before and after the deal, mergers and acquisitions analysts told Bloomberg BNA.


U.S. tech companies are responding to pressure to shore up internal networks and information technology infrastructure as more and more companies face data breaches and other hacking incidents. However, many tech companies may not be paying careful attention to the same issues when acquiring another company.

Mike VanDenBerg, managing director at KPMG Cyber, told Bloomberg BNA that “in the past cybersecurity in mergers and acquisitions was a ‘defend yourself and check the box' strategy.” But now during deals, the buyer should use an “offensive strategy” and the seller should “be more transparent,” he said.

“Cybersecurity needs to move much higher up on the checklist for things that are important in a deal,” VanDenBerg said.

Acquiring company boards should be involved when their C-suite is kicking the target company's data security tires because of the central role that brand reputation and privacy trustworthiness plays with consumers, the analysts said.

Diligence Not Just for Tech Companies

U.S. tech companies may face heightened cybersecurity risks because of the vast amount of intellectual property and sensitive consumer data that they handle. But, all companies that handle personal data—and that is nearly every company—need to be aware of all cybersecurity risks during a merger or acquisition.

Shawn Henry, chief security officer of Irvine, Calif.-based cybersecurity company CrowdStrike Inc., told Bloomberg BNA that “regardless of the type of industry, when a company makes an acquisition, they are essentially investing in the intellectual property” and research and development (R&D) “of the proposed partner organization.” Prior to the completion of a deal, companies should “perform a comprehensive assessment, identify the gaps in the partner organization's security posture and develop ways to close those gaps before integration occurs.”

Henry, who also serves as president of the CrowdStrike Services enterprise data breach team, said that his comments are focused on general mergers and acquisitions and not on the specifics of the Verizon-Yahoo deal.

Verizon is the third largest telecommunications company in the world with a $218.7 billion market capitalization and Yahoo is the ninth largest internet media company with a $40.87 billion market capitalization, according to Bloomberg data as of Aug. 18.

Yahoo shareholders have until Oct. 23, 2016 to approve the merger and the deal is expected to be completed by March 21, 2017, Bloomberg data show.

Kick the Tires

The buyer and seller in a tech company merger or acquisition will want to pay close attention to cybersecurity issues before and after the deal, cybersecurity professionals told Bloomberg BNA.

Jeff Stull, chief executive officer at Leawood, Kan.-based cybersecurity risk management company RiskAnalytics, told Bloomberg BNA that during a merger companies used to “only worry about the balance sheet, now cybersecurity is part of the equation.”

In addition to the general “check the box” regulations, companies need to “locate, identify and catalog” all company data, Stull said. “It's very difficult, if not impossible to secure what you don't know.”

VanDenBerg said that during due diligence both the buyer and seller need to “elevate cybersecurity issues to the board level.” Since cybersecurity issues affect “a company's reputation,” the buyer and seller need to look for red flags and “take a deep look at internal systems to learn what data they have and how they protect it,” he said.

The seller will also want to pay close attention to cybersecurity issues because it's a “business driver,” VanDenBerg said. Even though Yahoo is an established company, most sellers are “growing companies” looking to be bought by larger tech corporations, he said. The smaller companies need to prepare for cybersecurity issues, identify the threats “and be transparent with the buyer,” VanDenBerg said.

Sharon R. Klein, partner at Pepper Hamilton LLP in Orange County, Calif. and chairman of the firm's Privacy, Security and Data Protection Practice, told Bloomberg BNA that both the buyer and seller “need to kick the tires” to see if there are any cybersecurity gaps or technological pitfalls in their network infrastructure. The buyer and seller need to know how the other company's “network works and how the other company collects, stores, transfers and ultimately destroys consumer data,” she said.

In the event that there are data security issues post-close, companies should budget for “compliance clean-up,” Klein said. Enforcement actions are more than likely to happen to tech companies that handle consumer data, she said.

Companies that prepare for cybersecurity issues before the deal is finalized will have an easier time cleaning up cybersecurity issues post-deal, she said.

Culture Clash Coming?

Not since the AOL Inc.-Time Warner Inc. deal in 2001 have two companies with such different competing cultures joined together in a large-scale merger, Klein said. The culture clash led to the demise of a united AOL-Time Warner. In fact, Verizon ended up buying the then again standalone AOL for $4.02 billion in 2015, according to Bloomberg data.

Verizon and Yahoo should learn a lesson from the AOL-Time Warner fiasco, Klein said. “The differentiating cultures may be the biggest thing to watch out for,” she said.

Although Verizon comes from a more “brick & mortar” background in a highly regulated field, Yahoo is a “pure tech” and digital advertising company that sees very little oversight, Klein said. “The marriage between these two companies can be very powerful and both sides of the transition have to work very hard to find common ground.”

Culture can also play an effect on how strong a company's cybersecurity practices are, Klein said. Because Verizon is a large telecommunications company, it is a “closed loop and from a national security perspective they try to protect the grid,” she said. On the other hand, “Yahoo is more open to seek out consumer data,” she said.

Verizon and Yahoo will work over the next few years “to come up with a plan to align cultures” for the stability of the company and to combat against cyberattacks, Klein said.

A Yahoo spokeswoman told Bloomberg BNA that the company won't immediately make any changes to their operations and will “discuss integration plans over time.” During the due diligence phase, “Yahoo will remain focused on executing against the strategic plan we established at the beginning of the year,” she said. Verizon didn't respond to Bloomberg BNA's request for comments.

Considering the Human Factor

Employees may be the central factor in detecting and preventing data leaks and cyberattacks once the deal is complete, the analysts said.

Klein said that “there has to be a transition period for the selling company's chief information security officer, so that the buyer can understand enough about the seller's network and technology in order to respond and fix any issues downstream.”

Although companies may “do an assessment through an accounting firm,” it will most likely not catch all cybersecurity deficiencies, Klein said. Because tech companies are “layered like an onion,” the buyer needs someone with experience of the seller's technology to properly detect any cybersecurity shortcomings, she said.

Stull said that “companies like Verizon and Yahoo have teams of the most talented security professionals on the planet,” and both companies “have very secure environments.” However, “humans are human and do things that thwart the best security practices,” he said.

Companies may plan for cybersecurity and technology gaps, but “you can't remove the information that is in the heads of employees” from either company, Stull said. It is this “more practical information that causes the biggest headaches,” he said.

Klein said that either through hacks or cybersecurity deficiencies, all “tech deals come down to people.”

Is Tech More at Risk?

The tech industry may face specific cybersecurity threats other sectors don't face due to consumer facing data and intellectual property issues.

Henry said that “cybersecurity threats are truly ubiquitous today” and strike across all sectors. But, the “tech sector is still a highly targeted field because of the all the IP and innovation it holds,” he said.

The first step in the deal process is “truly understanding the network systems the buyer organization is about to purchase, which contain the valuable IP they are acquiring,” Henry said. Before the purchase is complete, tech companies must confirm the “integrity of the data” being acquired and “the team assessing it must be able to provide a level of scrutiny that ensures all areas are fully evaluated, diagnosed, and proved secure,” he said.

Although the tech industry may have specific cybersecurity issues in mergers and acquisitions, all industries should pay attention to intellectual property and research and development risks, Henry said.

VanDenBerg said that consumer-facing tech companies need to pay special attention to cybersecurity issues because “they probably have consumer data on majority of the U.S. population.” If the consumer data isn't protected, companies may be at risk to hackers, he said. “Hackers see this as a moment of weakness,” VanDenBerg said.

To limit this risks the buyer and seller need to be careful when combing “cost synergies,” VanDenBerg said. Cost synergies are apparent in “IT infrastructure, core technologies, data centers, networking equipment, and even the developers,” he said.

The buyer and seller need to combine resources to make sure that both companies are on the same page with cybersecurity, VanDenBerg said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security