Think of all the sleepless nights that could have been avoided for Marriott’s management team: 500 million customers’ records breached, a potential £99 million (USD 123 million) fine and a 5.6% drop in share price. Marriott International Inc.’s recent encounter with the Information Commissioner’s’ office (ICO) in the UK for alleged breach of the GDPR European regulations through a customer data breach of one of its acquisitions, Starwood Hotels, makes it clear that the need for cyber due diligence in a merger or acquisition of a business is more relevant than ever before.
Marriott acquired Starwood in September 2016, making them the world’s largest hotel chain with several of the most well-known hotels under their belt. However, the apparent lack of due diligence on Starwood’s IT systems during the acquisition and subsequent integration, resulted in the failure to identify a significant breach of the guest reservation database, exposing 500 million customer records to cybercriminals.
Inevitably, mergers and acquisitions have always presented financial, legal and reputational risks and the Marriott case is one in a long line of examples of issues identified after a transaction that could have been dealt with through better due diligence. And in today’s global data economy, cyber due diligence needs to be an integral part of any business investment, just as much as standard due diligence practices are now standard procedure. Customer data is acknowledged by both business and regulators globally as a powerful commodity. So, it is essential for a successful negotiation and deal closure that the acquiring business understands the cyber risks it could be inheriting both before and after an investment is made.
Incorporating cyber into the standard practice of assessing reputational, financial and legal due diligence calculates all the potential regulatory risks to a deal- thereby also protecting the investor from paying a potentially overinflated price or risking an eye watering fine further down the line. Leveraging this information during negotiation stage can help businesses determine the cost of remediating any weakness identified and potentially, if the costs to remediate are significant, use this in price negotiations. As Marriott and many other businesses who have learnt the hard way found – cyber due diligence makes both reputational and financial sense when acquiring a company today.
So how can cyber due diligence inform a negotiation and what steps need to be taken to get it right?
Learning from the past
Cyber due diligence should now be as integral as other types of due diligence that were once considered an advantageous but non-essential benefit in a deal transaction. For example, prior to the UK Bribery Act (UKBA) or Foreign Corrupt Practices Act (FCPA), anti-corruption due diligence was not systematically applied as part of the deal negotiation process. And those businesses who neglected to do so, did at their peril. Lessons learnt, anti-corruption is now a standard component of merger and acquisition due diligence checks. With GDPR and China’s Cyber Security law among other global data regulations now firmly in place and starting to flex their muscles, the same can be argued when it comes to undertaking cyber due diligence nowadays.
So, what is the barrier to undertaking cyber due diligence? The issue is that it is often misperceived as “someone else’s problem”, something that can be sorted post- transaction, or that it can be resolved under the radar from regulators or the public eye, hopefully avoiding any reputationally damaging disclosure. If only that were the case.
Avoiding falling foul of the regulators, any business investing in or acquiring another business must be able to demonstrate they’ve undertaken pre-transaction cyber due diligence to the regulators should a breach be subsequently discovered. Recently, the UK’s Information Commissioner Elizabeth Denham announced that Marriott “failed to undertake sufficient due diligence when it bought Starwood”. But positive lessons can be learnt too from other examples such as in 2016 when Verizon, a large American telecommunications company, leveraged findings from their cyber due diligence on two data breaches at Yahoo!. They negotiated a deal whereby Yahoo! would continue to be responsible for liabilities from shareholder lawsuits and federal investigations post acquisition.
Using cyber due diligence to inform negotiations
Cyber due diligence, if conducted as a pre-transaction precaution, can be an important negotiation tool. Careful pre-transaction due diligence allowed Verizon to take £281 million off the purchase price for Yahoo! for consideration of a massive data breach. Cyber due diligence, therefore, serves as a negotiation tool if acquisition decision-makers identify red flags from the due diligence process.
The findings of cyber due diligence can also be used to benchmark other acquisitions – this is helpful to companies who are rapidly expanding their portfolios. This data can be applied to other targets in a portfolio to identify areas of high risk. Standardising the output from cyber due diligence with the findings from traditional due diligence practices enables investors to have a holistic view of risks across an entire portfolio. The data can also be leveraged by deal teams to put the investor in the best position possible to negotiate the price and terms of an acquisition.
What should investors be doing?
Pre transaction cyber due diligence must be conducted by specialists experienced in cyber threat analysis. This could include assessing the external cyber threats and internal maturity of a target company and/or determining the costs of remediating identified security weaknesses. The outputs of these assessments should be shared with deal teams who can make calculated risks about the acquisition and ultimately drive the decision-making on investing. To continue managing the cyber risks to an investor’s portfolio, post-transaction due diligence serves as a valuable tool in maintaining a ‘health check’ on investments. It can also help identify issues which are likely to arise from the evolving regulatory landscape.
Currently, data protection regulations such as GDPR are driving change in the due diligence required by businesses during a transaction. But they are limited to regulatory disclosure once the breach has occurred, and only when it impacts personal information of EU citizens. As security and privacy regulation continues to evolve, we can expect to see greater emphasis on businesses needing to provide accurate information on the health of their systems as a proactive measure, rather than reactive following identification of a breach. Target companies should equally bear this in mind and be assessing their systems ahead of negotiations as part of their overall sales preparation process. Clarity on how any identified weaknesses could impact the acquisition or investment and what
measures are being taken to fix them will also avoid stalling the transaction process and guarantee the best possible price for the business.
But of course, it goes without saying that businesses shouldn’t wait for a merger or acquisition process to undertake a review of their cyber security. As cyber security data regulations across the globe continue to emerge and strengthen, few businesses nowadays are immune to the potentially significant reputational and financial impact a data breach can incur. Undertaking a regular assessment, at a minimum annually, of your data procedures and cyber security measures, and identifying if and where cyber threat actors might be able to breach your systems should simply be par for the course for business leaders today. If it’s not a regular point of discussion in your management meetings, then let the experiences of the likes of Marriott be a lesson to you. M&A transaction or not, it’s time to get a grip of your cyber security.
By Connor Lattimer, Associate Director, Control Risks.