Yahoo!'s Mayer is out by millions of dollars as security blame game names names
- Summary:
- Marissa Mayer is donating her bonus and equity award to Yahoo!'s employees as SEC filings expose a culture of ignorance and inactivity at management level following massive security breaches.
It looks like the blame game in Yahoo!’s ongoing struggle to manage the fallout from two massive security breaches might be starting to name some names - and it’s gone right to the top to claim CEO Marissa Mayer’s annual bonus.
Yahoo! last year disclosed two major security breaches - one from 2014 involving 500 million user accounts, the other from 2013 involving a billion. These came to light after a deal had been struck with Verizon to acquire Yahoo! for $4.8 billion.
The revelations threw doubt on the takeover while Verizon sought information from Yahoo! In the event, there is still a deal on the table, albeit with $350 million knocked off the price.
There has been considerable criticism and questioning of how well and how promptly Yahoo! senior management responded to the breaches. According to a filing with the Securities and Exchange Commission, which is carrying out its own investigation into the breaches and Yahoo!’s conduct, executives were made aware that a “state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool”.
Despite this, the action taken in response by management and legal officers did not match the severity of the situation, although this attributed by Yahoo! to lack of understanding rather than intentional deception:
While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.
Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.
Nonetheless, as the Yahoo! legal team did not sufficiently pursue inquiries, this had negative consequences, specifically:
- The 2014 breach was not properly investigated and analyzed at the time.
- Only 26 users were warned that their accounts had been breached.
- Failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the crisis.
- The Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts.
Paying the price
While the overall impression is one of general ignorance and lack of action at management level, two individuals have paid the most high-profile price for their culpability so far. Ronald S. Bell yesterday resigned as the Yahoo!’s top lawyer and General Counsel, with no compensatory payments being made.
Meanwhile CEO Mayer has lost her bonus and more. For her part, the CEO took to Tumblr to tell Yahoo! staff that she was donating her bonus to them:
When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.
However, the SEC filing starkly states that the 2016 due payment was in fact taken away from her by the board. Mayer subsequently offered to add her 2017 equity award on top of that:
In response to the Independent Committee’s findings related to the 2014 Security Incident, the Board determined not to award to the Chief Executive Officer a cash bonus for 2016 that was otherwise expected to be paid to her. In addition, in discussions with the Board, the Chief Executive Officer offered to forgo any 2017 annual equity award given that the 2014 Security Incident occurred during her tenure and the Board accepted her offer.
(Mayer's statement on Tumblr also states that she only learned of the security breach in 2016, which suggests that as CEO, she was in the dark about what had happened, and what was going on, for over two years.)
Her 2016 bonus is thought to have been in the region of $2 million, while her equity award is in excess of $12 million per annum. Meanwhile Mayer remains in line for a $55 million golden parachute if Verizon does not keep her on in some capacity after the takeover closes.
The takeover
The SEC filing also provides more information on Verizon’s lowered takeover bid for Yahoo!. It was already known that the money on the table had been cut, but the filing discloses that there’s still room for things to go even further wrong for Yahoo!. The deal is dependent on it being the case that:
certain data security incidents to which Yahoo has been subject will be disregarded for purposes of determining whether certain closing conditions have been satisfied and in determining whether a “Business Material Adverse Effect” has occurred, and (iii) provided that the date after which each of Yahoo and Verizon may terminate the Amended Stock Purchase Agreement if the Closing (as defined in the Amended Stock Purchase Agreement) has not occurred has been extended to July 24, 2017.
The RA Amendment provides, among other things, that Yahoo and Verizon will each be responsible for 50 percent of certain post-closing cash liabilities related to certain data security incidents and other data breaches incurred by the Company.
As far as potential liabilities go, Yahoo! states that:
We are still in the process of assessing the full extent of the impact of the Security Incidents and the related government investigations and civil litigation on our results of operations, which could be material….As a result of the Security Incidents, we are facing approximately 43 putative consumer class action lawsuits, four stockholder derivative actions and one putative stockholder class action, and other lawsuits and claims may be asserted by or on behalf of users, partners, shareholders, or others seeking damages or other related relief, allegedly arising out of the Security Incidents.
My take
It’s a nice stab to get a good spin out of all this, but I suspect Marissa Mayer’s attempt to play Lady Bountiful comes too late in the day to avoid uncomfortable questions about management’s competence at Yahoo! in recent years. The defence appears to be essentially, “Don't blame us - we didn’t understand what was going on”. But ignorance is never the best defence and merely begs the question, “Well, what were you doing trying to run a multi-billion dollar global company then?”.
It’s nice that Yahoo!’s staffers are in line for their own bonus as a result, but for the management team right now the real question must be how big the ‘bonuses’ will be for litigants as the revelations about what happened back in 2014 finally start to see the light of day. This is far from over yet.