Are You Evaluating Your Target Acquisition Through the Cyber Security Lens?

By Sourya Biswas, Technical Director, NCC Group

Caveat emptor, Latin for “Let the buyer beware,” is the principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made. It is traditionally rooted in information asymmetry, where the seller knows of possible shortcomings that the buyer doesn’t. While legal protections, such as binding warranties, can be implemented, it’s still prudent to conduct due diligence to discover issues before the purchase is closed.

This is especially true in the world of mergers and acquisitions (M&A), or more generically the transaction space. Though buyers generally conduct due diligence during any M&A transaction, cyber security considerations often take a backseat to evaluating revenue multipliers, cost synergies, and operating efficiencies. While it’s understandable that the business drivers mentioned above should constitute the evaluation process, underestimating the impact of cyber security (or lack thereof) can have significant ramifications down the road. This moves the discussion from “Let the buyer beware” to “Proceed at your own risk.”

In some cases, the decision to purchase has already been made and the due diligence process becomes an exercise of questionable value. It’s not unknown for a company to make an acquisition just so it’s competitor can’t, or to stifle competition. In such a situation, where revenue and cost concerns are overlooked, cybersecurity may not even make it to the top of mind, let alone be a part of the actual due diligence process.

Much of this may be attributed to the understated role that security plays in business, mainly that it is viewed simply as a cost of doing business and compliance, dismissively categorized as “pay to play.”

This need not be the case; cyber security can and should be a business enabler and the basis for competitive differentiation. Securing information matters, whether it is Personally Identifiable Information (PII) related to consumers, Intellectual Property (IP), or indeed any case where the confidentiality, integrity, and/or availability of information.

The Case of Marriott

Marriott may well have wished they paid more attention to cyber security in their acquisition of Starwood Hotels in 2016. The ensuing breach is an enlightening case study on how security issues from years past can come back and make their presence felt. 

On September 30, 2018, Marriott International, the third largest hotel chain in the world, disclosed a breach of 500 million customer records; these included personally identifiable information (PII) like names, email addresses, phone and passport numbers, and payment card information. Aside from the tangible costs to investigate and remedy the breach and the intangible costs of reputation loss, Marriott now faces a monumental $123 million penalty for GDPR violations. Add that to the potential payouts from several ongoing class action lawsuits and, well, let’s just say it isn’t a situation any company ever wants to be in.

Forensic analysis determined that the Starwood network had actually been compromised as far back as 2014, two years before the acquisition. This begs the obvious question, why didn’t Marriott’s due diligence of Starwood back in 2016 detect something? Even if the breach itself was not detected, adequate cyber security due diligence may have revealed control gaps.

To summarize, as the buyer in an acquisition, you can never be too careful. Or as the ancient saying goes, “caveat emptor.”