Imagine you are about to buy a used car without looking into the trunk. You get caught in a traffic control and the police officer wants you to open the trunk. Unwittingly you open it and in the trunk lies a dead body.
I assume you would never buy a used car without looking into the major compartments. You do your due diligence. In the corporate Mergers & Acquisitions (M&A) world due diligence is an essential part. Verifying what you are about to purchase is live-saving.
The more surprising it is, that due diligence in cybersecurity still plays a minor role. The integration of two companies' systems, data, and processes can create significant vulnerabilities if not properly managed. Cybersecurity due diligence is hence crucial as financial or operational due diligence.
Why Cybersecurity Due Diligence Matters
Neglecting cybersecurity due diligence is multifaceted and can lead to severe consequences:
Financial Loss: This can include decreased revenue, market value, and market share. Regulatory fines may also be imposed if data breaches occur.
Reputation Damage: A company’s brand reputation can be severely damaged, leading to loss of customer trust and social capital.
Legal and Regulatory Issues: Companies may face litigation from customers, suppliers, or business partners, as well as regulatory investigations and fines.
Operational Disruptions: Cyber incidents can cause significant business interruptions, affecting daily operations and overall productivity.
Deal Jeopardy: Serious cybersecurity issues discovered post-acquisition can jeopardize the entire deal, leading to renegotiations or even cancellations.
Depending on the industry the actors are in, one consequence might be more severe than another. Particularly when it comes to regulatory issues, non-compliance might result in significant fines and penalties. Cybersecurity due diligence ensures that the target company complies with all relevant regulations, reducing the risk of regulatory action post-acquisition.
M&A deals often involve the transfer of sensitive data and intellectual property. Cybersecurity due diligence helps ensure that this information is adequately protected, reducing the risk of data breaches and intellectual property theft. A data breach can severely damage a company's reputation and erode customer trust. By conducting thorough cybersecurity due diligence, the acquiring company can demonstrate its commitment to protecting customer data, maintaining trust and loyalty.
“This sounds very theoretical to me? Do you have an example?”
Well, I’m glad that you asked…
The Marriott-Starwood Acquisition
One notable example of the consequences of inadequate cybersecurity due diligence is the Marriott-Starwood acquisition. In 2016, Marriott International acquired Starwood Hotels and Resorts for $13.6 billion. However, it was later revealed that Starwood had suffered a massive data breach in 2014, which went undetected until 2018.
The breach compromised the personal information of approximately 500 million guests, including names, addresses, phone numbers, email addresses, passport numbers, and payment card information. The breach was one of the largest in history and had significant repercussions for Marriott.
Impact on the Deal
Marriott faced substantial financial losses due to the breach. The company incurred costs related to the investigation, remediation, and legal fees. Additionally, Marriott was fined $123 million by the UK Information Commissioner's Office for failing to protect customer data.
The breach severely damaged Marriott's reputation, leading to a loss of customer trust and loyalty. The company faced significant negative publicity and criticism for its handling of the breach. The breach attracted regulatory scrutiny from authorities worldwide, leading to further legal and compliance costs for Marriott. The breach caused significant operational disruptions as Marriott worked to secure its systems and address the vulnerabilities that led to the breach.
Overall it is estimated that Marriott had incurred costs of $30 million for recovery, a 5% stock share drop, $1 billion lost customer loyalty, over $120 million for violating British customers’ privacy rights under the General Data Protection Regulation (GDPR). Moreover, Marriott was confronted with several class action lawsuits after the breach was announced, one of which sought 12,5 billion dollars in damages, or 25 dollars for each customer affected.
Lessons Learned
The Marriott-Starwood case highlights the importance of early detection and response to cybersecurity incidents. Conducting thorough cybersecurity due diligence before the acquisition could have identified the breach earlier, allowing Marriott to take proactive measures to mitigate the impact.
Cybersecurity due diligence should include comprehensive assessments of the target company's systems, processes, and security measures. This includes evaluating the company's incident response capabilities, data protection measures, and compliance with relevant regulations.
Effective integration planning is critical to ensuring a smooth transition and minimizing cybersecurity risks. This includes aligning the cybersecurity policies and practices of both companies, integrating security systems, and conducting regular security audits.
Cybersecurity is an ongoing process, and companies must continuously monitor and improve their security measures. This includes staying up-to-date with the latest threats and vulnerabilities, conducting regular security assessments, and implementing best practices for data protection.
Wrap-up
Cybersecurity due diligence is a critical component of any M&A deal. By identifying and addressing cybersecurity risks early, companies can protect their assets, maintain customer trust, and ensure a successful transition. The Marriott-Starwood case serves as a cautionary tale of the consequences of inadequate cybersecurity due diligence, highlighting the importance of comprehensive assessments, early detection, and ongoing monitoring. In today's digital age, companies cannot afford to overlook the importance of cybersecurity in their M&A strategies.