On March 1st, Yahoo filed its fiscal 2016 Annual Report, in which management made a number of significant disclosures related to cyber security incidents.
Regarding its agreement to be purchased by Verizon, Yahoo confirmed the Stock Purchase Agreement (SPA) would be reduced by $350 million and that Verizon and Yahoo would split the cost of “certain post-closing cash liabilities related to the data security incidents and other data breaches incurred...” Yahoo disclosed that it had spent $16 million toward its cyber incidents. It also indicated that its SOX 302 disclosure controls were ineffective. Despite the ineffective disclosure controls, Yahoo maintained that its SOX 404 internal controls were effective. See in this article how Yahoo enhanced its controls for dealing with cyber incidents and how management was reprimanded.