The board’s Independent Committee investigating the hack, which took place while Mayer was CEO, decided that she should not receive her cash bonus for last year.
In addition, after “discussions with the board,” Mayer “offered to forgo” her 2017 annual equity award. The board accepted her offer.
Yahoo has not yet disclosed executives’ compensation for 2016. In 2015, Mayer made about $36 million, including a $12.4 million annual equity award. Her deal with the company says that she’s to receive at least $12 million in the annual awards.
The company says that Bell resigned today, and “no payments are being made to Mr. Bell in connection with his resignation.” He received $4.5 million in 2015.
The Independent Committee found that Yahoo’s information security team had “contemporaneous knowledge” of the 2014 state-sponsored attacks, “as well as incidents by the same attacker involving cookie forging in 2015 and 2016.”
It adds that “it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge.”
For example, the information security team knew that the attacker had “exfiltrated copies of user database backup files containing the personal data of Yahoo users” — though it’s “unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”
Investigators “did not conclude that there was an intentional suppression of relevant information.”
Said Mayer: “I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”
Yahoo says that it will “soon” submit an amended proxy to the SEC that will enable it to “move forward with scheduling a special meeting of Yahoo shareholders” to approve Verizon’s $4.48 billion offer for the internet company’s operating assets. That deal is still “expected to close in the second quarter of 2017.”
Today’s report notes that it paid $5 million last year to investigate and fix the hacks, plus $11 million for “nonrecurring legal costs.”
What’s more, “we have subsequently incurred additional expenses related to the Security Incidents to investigate and take remedial actions to notify and protect our users and systems, and expect to continue to incur investigation, remediation, legal, and other expenses associated with the Security Incidents in the foreseeable future,” the company says.
It does not have cybersecurity liability insurance.