What If, Hypothetically, Yahoo Had Been Hacked?

(Bloomberg View) -- Yahoo!?

Here is some pretty disclosurey disclosure:

If our security measures are breached, our products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure.

Our products and services involve the storage and transmission of Yahoo’s users’ and customers’ personal and proprietary information in our facilities and on our equipment, networks and corporate systems. Security breaches expose us to a risk of loss of this information, litigation, remediation costs, increased costs for security measures, loss of revenue, damage to our reputation, and potential liability. ... Security breaches or unauthorized access have resulted in and may in the future result in a combination of significant legal and financial exposure, increased remediation and other costs, damage to our reputation and a loss of confidence in the security of our products, services and networks that could have an adverse effect on our business. We take steps to prevent unauthorized access to our corporate systems, however, because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently or may be designed to remain dormant until a triggering event, we may be unable to anticipate these techniques or implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures could be harmed and we could lose users and customers.

It is from the risk factors in Yahoo! Inc.’s Form 10-K for 2014, filed a few months after Yahoo discovered that it had suffered a massive security breach, and a few years before Yahoo publicly disclosed that breach. Imagine if we got hacked, said Yahoo, after it had been hacked. That would be really bad for our stock price, it said, about the hack, which had happened, and which turned out to be bad for its stock price. It is a perfect example of a certain kind of lawyerly thinking: If a bad thing has happened, and you don’t want to disclose it, but you do want to be able to say that you had disclosed it, why not disclose that the bad thing is hypothetically possible, so that people are theoretically on hypothetical notice about it? It is … not a great approach. But to be fair “Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings,” so you can’t exactly blame the lawyers here.

That last quote is from the Securities and Exchange Commission, which yesterday fined Yahoo — well, actually, Altaba Inc., the entity formerly known as Yahoo — $35 million for sitting on knowledge of the data breach for almost two years. Not only did it not disclose this material event, but Yahoo's filings, as the SEC put it, “misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches.” If they just hadn’t mentioned data breaches — if data breaches just weren’t the sort of thing that Yahoo’s management thought about—then, you know, that would be dumb, but I suppose it would have been almost possible to claim that Yahoo didn’t think it was a big deal that needed to be disclosed. But Yahoo did know, and described in detail, how bad it would be if its systems were breached. It just forgot to mention that they were.

The SEC has been on a bit of a cybersecurity kick recently; in February, it released “guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.” I confess that I do not fully understand why this is a big deal. Cybersecurity breaches can be bad, and if they are bad a company should disclose them, the same way it should disclose if a factory blew up or a product turned out to be poisoning people or whatever. Just as in those cases, the company will be disinclined to disclose, because the disclosure would be embarrassing, and would potentially give competitors an opportunity to take away customers. And the company will weigh its disclosure obligations against its own preferences and try to come up with some way to satisfy the law while providing a minimum of actual insight, as one tends to do, in securities disclosures. And the SEC will push back and try to get companies to write disclosure that reflects how they actually think about and manage their businesses, and the companies will constantly filter that disclosure through layers of lawyering that ends up making it hypothetical and not especially useful.

But that doesn’t seem different in kind from how companies disclose any other bad thing that can happen to them. And it’s not like companies don’t know that data breaches are a serious risk or that they would be material to shareholders. After all, they’re disclosing them already! Just, hypothetically.

The BCFP, a/k/a CFPB.

Mick Mulvaney, the unenthusiastic part-time acting director of the Consumer Financial Protection Bureau, wants “to end public access to a web portal used by hundreds of thousands of consumers each year to file complaints against financial companies” because those complaints have not been fully reviewed:

“I don’t see anything in here that says I have to run a Yelp for financial services sponsored by the federal government,” Mr. Mulvaney said at a banking industry conference, holding up a copy of the 2010 Dodd-Frank financial law that created the CFPB.

Does he … carry around a copy of Dodd-Frank everywhere, the way other politicians keep a copy of the Constitution in their pockets? Who uses the Dodd-Frank Act as a prop? Anyway, consumer advocates object:

“It’s an incredibly important tool that empowers consumers,” said Aaron Klein, a policy director at the Brookings Institution. “Why would he want to reduce information so people could make less-informed choices?”

I have to say that I find that objection somewhat unrealistic: The people likely to be suckered by bad consumer financial services are overwhelmingly unlikely to be the people who carefully review the CFPB’s complaint database before choosing financial services. The point of the CFPB, you’d think, would be to take consumer complaints, evaluate them, and then punish or remedy any problems — not to take the complaints, publish them, and let the consumers sort them out for themselves. Of course the concern is that Mulvaney’s CFPB won’t do either one, and arguably letting consumers evaluate the complaints is preferable to having no one do it.

What else did Mulvaney get up to at that conference?

Mr. Mulvaney also said he would begin calling the Consumer Financial Protection Bureau by its official statutory name, the more obscure Bureau of Consumer Financial Protection. … “I’m trying to get in the habit of now saying the ‘B.C.F.P.’ It’s really, really hard to do that when you’ve said the C.F.P.B. for so long,” Mr. Mulvaney told the bankers.

Ah. I feel like there is some sort of symbolism there that has gone entirely over my head. But also:

“We had a hierarchy in my office in Congress,” Mr. Mulvaney, a former Republican lawmaker from South Carolina, told 1,300 bankers and lending industry officials at an American Bankers Association conference in Washington. “If you’re a lobbyist who never gave us money, I didn’t talk to you. If you’re a lobbyist who gave us money, I might talk to you.”

Ah yes the old trick of explicitly telling bankers to give you money in order to change regulations to benefit them! I mean. It is an approach. When he started at the CFPB, Mick Mulvaney wrote a nice memo about the rule of law, and I praised him for it, and I’ve felt like a bit of a sucker ever since.

Gender pay gaps.

Here is a column by Andrew Ross Sorkin about a study finding that “there may be no pay gap at all between male and female chief executives of publicly traded companies.” Here is an article about how more Fortune 500 CEOs are men named James than are women. So: two data points!

There are at least three ways to think about the gender pay gap, and in the case of CEOs they all seem to point in different directions:

  1. Aggregates: The total amount of money paid to male CEOs is a lot larger than the total amount of money paid to female CEOs. Mostly because there are a lot more male than female CEOs.
  2. Averages: Interestingly, Sorkin points out, one study found that “female chief executives were being paid more than their male counterparts, with a median compensation level of $13.8 million, compared with $11.6 million for men.” Even if the total amount paid to male CEOs is higher than the total amount paid to female CEOs, each of the female CEOs could get paid more than each of the male CEOs, just because there are so many more men.
  3. Adjusted averages: The study Sorkin links to found no significant gender pay gap for CEOs after it “controlled for several possible confounding factors, including (but not limited to), firm sizefirm performanceequity returnsfirm riskCEO tenureCEO dualityboard size, and board independence.” It’s possible that the average female CEO gets paid more than the average male CEO because (say) female-led companies have higher equity returns. In that case, you might not say that there is a “gender pay gap” (you might!); instead you might say that male and female CEOs are paid the same for the same performance, or that they are paid the same after adjusting for performance, or whatever.

Basically the data seems to be that male CEOs are paid more than female CEOs in aggregate, less on average (or median), and about the same after adjusting for some lists of factors.

If you are considering societal structure and equality of opportunities, then you will probably care about aggregates — it seems important to have at least as many women as Jameses in high-powered positions, not just to pay the women who are in those positions as much as the Jameses — though that is debatable. If you are considering whether a company is paying women fairly, based on its own criteria and the actual performance and experience of the actual women who work there, then you will probably care about adjusted averages, though that is also debatable. Given that each company has one CEO, it’s hard to see why anyone should care that much about adjusted measures of CEO pay, but, you know, it is something.

The crypto.

Everyone knows that Bitcoin is not a great medium of exchange because its value fluctuates so wildly, but that problem has broader implications than just Bitcoin’s usefulness as a currency. For instance, if you have an agreement in principle to invest in a cryptocurrency business, and you take a month to do due diligence, or even sleep on it overnight, then you shouldn’t expect the deal to still be there when you get back:

According to the Hong Kong court filings, Zhao and Sequoia began negotiating terms of an investment in Binance in August. The deal would have given Sequoia a nearly 11 percent stake and valued the exchange at about $80 million.

Talks continued over the next few months, the court documents show, a period in which cryptocurrency prices and transaction values soared to all-time highs. But in mid-December, as Bitcoin traded at a record near $20,000, the negotiations broke down.

On Dec. 14, Zhao’s team told Sequoia that Binance’s existing shareholders thought their proposed deal undervalued the exchange. Around the same time, Zhao was approached by another VC firm, IDG Capital, with an offer that would have injected two rounds of funding into Binance at vastly higher valuations: $400 million and $1 billion, respectively.

That’s from a story about how venture-capital firm Sequoia Capital is suing Zhao Changpeng, the founder of Binance, over a busted deal; “at issue is whether Zhao’s talks with IDG Capital violated his exclusivity agreements with Sequoia.” I have to say, even if they did, it’s hard to blame him: If you strike a deal to sell some of your crypto exchange at an $80 million valuation, you can’t really wait around for months to finalize it. Crypto valuations seem like they’d be good for a day or two, tops. If your buyer is taking too long to get back to you, eventually you’re going to get another offer at 10 times the price, exclusivity or not. And if you’re the buyer taking months to finalize a deal at a fixed price, then you are to some extent missing the point of crypto.

Elsewhere in crypto exchanges:

The Winklevoss twins brought in the pros to keep cheaters off their cryptocurrency exchange.

Their company, Gemini Trust Co., hired Nasdaq Inc. to conduct market surveillance for Bitcoin and Ether trading as well as the auction that helps price Cboe Global Markets Inc.’s Bitcoin futures, according to a statement Wednesday. It’s the first partnership between a well-known exchange like Nasdaq and a digital-asset market to help safeguard the nascent $433 billion cryptocurrency sector.

One thing you can say about traditional financial firms is, they have learned some things about how to do finance. This is not just a matter of the deep macro principles — what is money, who should have it, etc. — that cryptocurrency innovators want to upend. It is also a matter of a million different random micro processes about, like, how to run an exchange with a surveillance system designed to catch spoofing. When you’re redesigning finance and economics from basic principles, you tend not to think about that sort of thing at first. But once you are trying to actually operate an exchange, I guess you need to license some technology. 

On the other hand: “A loud noise knocked out computers that run stock exchanges across northern Europe.” So there is room for improvement, sure.

Food and Not Food Stuff.

One of my fundamental beliefs is that the best business model is getting people to pay you not to do something. A classic of the form is the old story that the great mergers-and-acquisitions lawyer Joe Flom “was so feared as an adversary that he was frequently paid handsome retainer fees by companies nervous about becoming takeover targets,” just to keep him from working for a bidder. I probably first heard that story when I was a junior M&A lawyer working hundred-hour weeks actually doing deals, and the thought of being paid more money not to do deals has haunted me ever since.

Here is a Bloomberg News story about Popeyes Louisiana Kitchen posting better-than-expected same-store sales numbers last quarter because people really like late-night fried-chicken delivery. Here is a Bloomberg News story about how Silicon Valley startups are getting into the business — somehow it is a business — of fasting. “Not a fan of ‘late capitalism’ meme,” tweeted Matthew Klein of Barron’s, “but seems appropriate to describe charging people hundreds of dollars just to tell them not to eat.” You can read the article to figure out how the startups are monetizing not-food — also, to figure out how this counts as “Silicon Valley” — but I prefer to just use my imagination. 

And what I particularly prefer to imagine is Popeyes getting into the fasting business. Sure people will apparently pay $17.99 for Popeyes to deliver them an eight-piece fried chicken meal, but what I want to know is, how much will people pay for Popeyes not to deliver them an eight-piece fried chicken meal? Because nothing will mess with your calorie-restriction plan like a bucket of fried chicken delivered to your house  at midnight. If not giving people food can be a business, surely it can be a lucrative bolt-on business for a company that is otherwise in the business of giving people food? Like if Popeyes charged $17.99 for chicken and $24.99 for no chicken, presumably same-store sales would skyrocket, and with essentially no increase in costs. Please invest in my ICO.

Things happen.

What’s Farallon Capital Management founder Tom Steyer up toPDVSA’s Secured Creditors Organize Ahead of Payment. Facebook Has Hosted Stolen Identities and Social Security Numbers for Years. A $3 Trillion Credit Market Has Corporate Bond Investors on Edge. Pimco’s New Bond King Could Be a Robot in Austin. More on WeWork and its bond offering. Comcast Formalizes Bid for Sky in Challenge to Murdoch's Fox. Chinese Ride-Hailing Giant Didi Hits Accelerator on Talks for IPO. “Mutual funds that invest in private tech companies are surprisingly good at predicting what a tech company will be worth when it goes public, an analysis of recent IPOs shows.” “We tacked them to the wall and threw 10 darts, with the first eight designated as longs and the last two designated as shorts.” Millennial Wall Streeters Turn to Pot. Are banker bags bad? Newspaper op-eds change minds. “Male [hand grip strength] predicts measures of aggression and social dominance, perceived formidability, male-typical body morphology and movement, courtship display, physical attractiveness, and sexual behavior and reproductive fitness.”

If you'd like to get Money Stuff in handy email form, right in your inbox, please subscribe at this link. Thanks! 

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Matt Levine is a Bloomberg View columnist. He was an editor of Dealbreaker, an investment banker at Goldman Sachs, a mergers and acquisitions lawyer at Wachtell, Lipton, Rosen & Katz and a clerk for the U.S. Court of Appeals for the Third Circuit.

To contact the author of this story: Matt Levine at mlevine51@bloomberg.net.

For more columns from Bloomberg View, visit http://www.bloomberg.com/view.

©2018 Bloomberg L.P.