The ongoing fallout from the 2014 data breach at Yahoo has personally cost CEO Marissa Mayer upwards of $14 million. On March 1, Mayer announced on her blog that she had agreed to forego her annual bonus and equity grant, due to the breach happening on her watch as CEO. The bonus is worth $2 million, and her contract puts her minimum annual equity package at $12 million. This personal cost to Mayer is just the latest price to pay for the data breach, which, along with a separate breach in 2013, compromised the personal data of over 1 billion users.
The huge scale of this incident, both in terms of the scope of the breach and the money at stake, make it a valuable case study for companies evaluating their risk management and incident response capabilities. Below, we’ve outlined five key takeaways from the Yahoo case that companies of all sizes should be considering.
In 2016, SEC Chairwoman Mary Jo White called cyber security the biggest threat to the American financial system, and the SEC’s actions in 2017 have shown that this increasing focus on cyber security extends into other industries as well. For example, Yahoo is being investigated based on their breach notification speed—a topic that has not historically piqued the SEC’s interest.
Along with the SEC, the FCC and FTC have recently become much more likely to scrutinize privacy issues following a breach. In an interview with BankInfoSecurity, Randy Sabett, Special Counsel at law firm Cooley LLP said that because each of these regulators has jurisdiction over some aspect of personal information protection, they are all getting involved in enforcing proper breach response. This regulatory environment is making it difficult for companies to know what to do, as the mandate and rules for each regulatory body are broad and often vague in their application to cyber security incidents.
Data breaches are now widely accepted to be a ‘not if, but when’ scenario. Even at the scale of Yahoo’s breach, how a company responds to an incident dictates the regulatory and reputational fallout. This means that proper incident response and risk management have never been more important. An independent investigation found that Yahoo’s senior leadership did not act sufficiently on the knowledge that their Information Security Team had. Yahoo has also been obscurant with the timeline of their breach response, saying in separate statements that some employees knew about the breach in 2014, and also that they didn’t find out about the breach until it was noticed by law enforcement agencies in 2016. With the SEC and other bodies beginning to investigate breach notification speed, having a strong internal system that guides employees through spotting, communicating, and reporting cyber security incidents is crucial.
With this much scrutiny attached to data breach response, there is no way for senior executives to deflect blame. In addition to Mayer’s forfeit of millions of dollars, Yahoo General Counsel Ronald Bell resigned without severance pay as a result of the breach. In addition to the SEC, Yahoo is being investigated by myriad parties, including the FTC, multiple state attorneys general, and a U.S. attorney’s office, and this intense regulatory scrutiny is also felt directly at the C-level. Frustrated by Yahoo’s inconsistent statements, Senators John Thune and Jerry Moran have written directly to Mayer, setting a deadline for clear answers to questions regarding the timeline of the breach.
The potential for cyber security events to have a devastating impact on a company is widely understood, but the Yahoo case makes this impact easy to quantify: $350 million. That’s the value of the discount that Verizon, who agreed to purchase Yahoo months before the breach was revealed, was able to negotiate off their purchasing price. And that’s just one easily observable outcome. A story like this also leads to months of bad press, as investigations, reports, and testimonies keep the incident in the news.
What’s worth noting about the discount that Verizon negotiated is that it seems to be more driven by Yahoo’s response to the breach, rather than the breach itself. When the breach was first revealed, Verizon did not seem concerned, with CEO Lowell McAdam saying he was “not that shocked” to learn of the breach. However, after a few months of investigations and scrutiny into Yahoo’s response to the incident, Verizon had grounds for their $350 million discount.
As Verizon’s McAdam has also said: “it’s not a question of if you’re going to get hacked but when you are going to get hacked.” Similarly, organizations need to ask themselves whether they are going to implement an incident response platform before, or after, they get hit with a breach. The fact is that significant regulatory and reputational costs don’t come from cyber security incidents themselves; they come from systemic incident response and risk management failures.
Following the breach, Yahoo has poured massive amounts of resources into risk management and incident response, including adding a formalized risk management program, appointing a risk management executive, expanding its advanced persistent threat team, and bringing in two digital forensic investigation firms. This is all just part of the estimated $250 million spent by the current leadership team on security projects.
Investing in a strong incident management solution like D3 won’t cost you hundreds of millions of dollars, but it could save you from being the next company to go through this type of ordeal. D3’s incident response platform provides a full-lifecycle remediation solution and a single tool to determine the root cause and corrective action of any incident. The system’s playbook library and orchestration engine guide responders at each step—from detection through resolution—while a powerful intelligence layer generates metrics, trend reports and actionable intelligence for all stakeholders.
Click on the button below to book a demo to find out why, and how, 100+ of the Fortune 500 use D3 to orchestrate incident response, connect with security technologies, and apply data-driven decisions across an enterprise-wide vision of risk.