Mayer will lose her 2016 annual bonus and her 2017 equity grant after an independent investigation revealed that senior company executives knew the firm had suffered a major hack in 2014 but failed to properly investigate it.
Yahoo also accepted the resignation of general counsel Ronald Bell.
In a statement Wednesday, Mayer said that when she learned in September 2016 “that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies.”
It is not clear whether she had any knowledge of the attack when other executives learned about it in 2014.
“I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016,” Mayer said in her statement.
Yahoo’s hacking troubles came to public light last year just as Verizon was inking a deal to buy the storied web company. The revelations about the data breaches jeopardized the deal, but last month the two firms announced they would go ahead with a reduced sales price of $4.48 billion, with Verizon getting a $350 million discount as a result of the scandal.
Mayer has an annual “target bonus” of $2 million, double her annual salary. The actual amount paid depends on her performance and that of the firm. The amount that she would have received for 2016 had not yet been approved by the firm’s compensation committee, a person close to the situation said.
Her annual equity grant is determined by the board, but it’s no less than $12 million a year in restricted stock and stock options.
Tim Bajarin, president of Creative Strategies, said that the financial hit to Mayer makes sense given that the hack happened under her leadership.
The buck stops with the CEO, Bajarin said, and executives have to take responsibility for whatever happens during their tenure.
“I think the financial world and the customers view it that way, and as a result it’s being treated that way,” he said.
Still, there are questions swirling about whether Mayer will keep her job. In 2014, Target CEO, president and chairman Gregg Steinhafel stepped down after a massive data breach hit the retailer.
“At this stage of the game, we don’t know how the board is going to react to that and what they want to do,” he said.
Yahoo did not make public the 2014 breach of at least a half-billion user accounts until late last year. That hack, along with one in 2013 of more than a billion accounts, have led to at least two dozen class-action lawsuits.
Also in the fallout from the investigation, Bell, Yahoo’s lawyer and secretary, resigned Wednesday.
“No payments are being made to Mr. Bell in connection with his resignation,” Yahoo said.
The probe found that in late 2014, “senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the company’s account management tool,” Yahoo said in a news release.
“While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company’s information security team,” the company said.
The security team was aware that the same attackers also forged Yahoo system cookies in 2015 and 2016, information that was not publicly released until late last year and this year.
Twenty-six Yahoo users had been particularly targeted by hackers, and were notified, as was law enforcement, Yahoo said.
The investigators from an independent committee found no “intentional suppression of relevant information” but that “the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.”
Findings from the investigation were contained in Yahoo’s 2016 annual report, filed Wednesday.
Although Mayer said she “agreed to forgo” her annual bonus, the company said its board stripped Mayer of her 2016 annual cash bonus, and that she volunteered to give up her 2017 annual equity grant. The board accepted her offer.
Avivah Litan, a Gartner analyst who covers cybersecurity, said that security is often not on the top of a company’s agenda because it isn’t directly tied to revenue growth.
“Really the only concrete damage to the company … is reputation loss, eventual lawsuits and shareholder anger,” she said.
Yahoo’s board has ordered the company to revise security-incident response policies to help ensure senior executives and the board know about them, and to conduct rigorous investigation of any future cybersecurity incidents, bringing in forensic experts as required.
The sale to Verizon is expected to close between April and June.
©2017 the San Jose Mercury News (San Jose, Calif.) Distributed by Tribune Content Agency, LLC.
