Why cybersecurity must be a priority in M&A strategies
Mergers and acquisitions can be a great way for an enterprise to grow market share, increase supply-chain pricing power, and improve operational efficiency by reducing overhead. Its is predicted that 2020 will bring about an increased number of closed M&A deals.
In fact, 79 percent of respondents to Deloitte’s M&A trends 2019 report expect the number of deals they close to rise in the next 12 months – up from 70 percent of respondents last year. While M&A seems like a great and expedited strategy that enables any organization to remain competitive in its respective market, companies can also inadvertently expose themselves to great risk if proper cybersecurity due diligence is not executed.
Take Marriott’s 2018 data breach as an example, when approximately 383 million records in the Starwood guest reservations database were compromised. When the data breach was reported near the end of 2018, it was discovered that the unauthorized party had access to Starwood’s database since 2014 – two years before Marriott finalized its acquisition of Starwood in 2016.
Marriott originally pursued the Starwood acquisition in order to obtain a larger non-US presence since the majority of Starwood's revenue at the time came primarily from international markets. Unfortunately for Marriott, failing to have an M&A strategy in place that prioritized cybersecurity due diligence resulted in a hefty fine of $123 million from the UK’s Information Commissioner's Office (ICO) for violating the regulations demanded by GDPR.
Additionally, Marriott could be liable for penalties, including additional fines, from other data privacy watchdogs such as the FTC in the near future.
While not every single detail about Marriott’s data breach of its Starwood guests’ information is not public knowledge at this time, let us analyze the information that what we do know about this security incident:
- Both Marriott and Starwood lacked visibility into their IT infrastructure which allowed the attackers to remain undetected and exfiltrate data for years.
- Starwood failed to encrypt its data, therefore allowing the threat actors to view its guests’ sensitive data without any authorization.
- Marriott failed to acknowledge the risk associated with acquiring Starwood. In fact, Starwood employees admitted that its global computer network was difficult to secure.
- Starwood suffered a malware attack on its point-of-sale (POS) cash registers that compromised North American customers’ payment card information in 2015, one year before the acquisition was finalized. This should have been another red flag for Marriott during the M&A process.
You may be wondering what could Marriott have done to make cybersecurity due diligence a priority in the M&A process. The first step would have been obtaining visibility into Starwood’s systems in order to identify any anomalous behavior, such as an unauthorized user making requests on Starwood’s guest reservations database with administrative access. Marriott could have then made it a priority to encrypt Starwood’s data across all applications, data lakes, and beyond in order to protect this data-at-rest.
Any organization that acquires another business and its IT assets could be faced with major security blind spots if the proper tools are not in place. The fact that it took Marriott years to recognize that Starwood had been breached shows the inadequate consideration that was given towards cybersecurity. Enterprises across all industries that are utilizing cloud applications should be using tools that protect data accessed outside the firewall.
In the future, companies that undergo M&As must have flexible security strategies that proactively involve detecting and responding to new threats as they arise. Ensuring proactive security and remediating threats before malicious third-parties can exploit them is the key to securing data and avoiding penalties under data privacy regulations.