A cybersecurity risk assessment is a critical part of M&A due diligence  

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

As of mid-February, the plan for Verizon Communications to acquire a majority of Yahoo’s web assets is still on, despite the announcement of Yahoo having suffered two massive breaches of customer data in 2013 and 2014. The sale price, however, has been discounted by $350 million, and Verizon and Altaba Inc. have agreed to share any ongoing legal responsibilities related to the breaches. Altaba is the entity that will own the portion of Yahoo that Verizon is not acquiring.

Following the disclosure of these breaches, Yahoo was highly criticized for its lax stance on cybersecurity. For example, a team from Venafi Labs looked at the cryptographic posture of external Yahoo web properties and claims to have discovered that 27% of the company’s security certificates had not been reissued since January 2015. According to Venafi, replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced, breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications. In addition, Venafi says 41% of the external Yahoo certificates discovered use SHA-1, a hashing algorithm that is no longer considered secure. Apparently, Yahoo isn’t even attempting to close the barn door after the horses fled.

The Verizon acquisition of Yahoo provides a perfect example of why companies – even those not in the technology industry – need to include cybersecurity due diligence as part of any merger and acquisition (M&A) activity. Any company that plans to acquire another must thoroughly assess the cybersecurity posture of the target company. Too much cyber risk can undermine the value of the deal and delay a proper return on investment.

Leave a Reply

Your email address will not be published. Required fields are marked *