Cybersecurity Due Diligence in M&A: Protecting Your Investments
How Ignoring Cyber Risks in M&A Deals Can Lead to Financial and Reputational Disaster
In the high-stakes world of mergers and acquisitions (M&A), where billions can change hands in a single deal, most executives focus, naturally, on financials, legal concerns, and market synergies. However, as businesses become increasingly dependent on digital infrastructure, one aspect has risen in importance - cybersecurity due diligence.
Failing to evaluate the cybersecurity posture of an acquisition target can have disastrous consequences, with the Marriott-Starwood breach serving as a stark warning. In 2018, Marriott discovered that hackers had been in Starwood's systems since 2014, stealing sensitive information for nearly 500 million guests. By the time Marriott uncovered the breach, it had already completed its $13.6 billion acquisition of Starwood Hotels, leading to severe reputational damage, legal penalties, and remediation costs that exceeded $1 billion.
This incident demonstrates why cybersecurity due diligence is no longer optional in M&A. Let’s explore why this process is so essential, the consequences of neglecting it, and how to approach cybersecurity due diligence effectively in your next M&A deal.
Why Cybersecurity Due Diligence is Essential in M&A
Hidden Liabilities: A company’s poor cybersecurity can hide significant liabilities that may not be apparent during traditional financial audits. If an acquired company's data has already been compromised, it could lead to penalties, lawsuits, and reputational harm. Ignoring these risks leaves the acquiring company to deal with the fallout.
Intellectual Property Theft: Many companies rely on intellectual property (IP) as their primary competitive advantage. Cybersecurity breaches often target these assets, meaning an acquisition could inadvertently hand over critical IP to competitors or bad actors if breaches are left undiscovered.
Regulatory Compliance: Many industries are subject to strict data protection regulations such as GDPR or CCPA. Acquiring a company that has not adhered to these regulations could expose the acquirer to heavy fines and legal penalties, potentially jeopardizing the entire deal.
Operational Integrity: Cybersecurity issues can directly impact business operations, including manufacturing, service delivery, or customer-facing platforms. Ransomware, for example, could lock critical systems or data, causing business interruptions that erode trust and profitability.
Consequences of Neglecting Cybersecurity Due Diligence
The Marriott-Starwood breach provides a cautionary tale for companies neglecting cybersecurity due diligence in M&A. After the acquisition, Marriott was forced to publicly disclose the breach, leading to:
Reputation Damage: The incident eroded Marriott’s brand reputation as customers lost trust in the company’s ability to protect their data.
Regulatory Penalties: Data protection authorities across the globe, including the EU and U.S., launched investigations into Marriott's handling of customer data. The GDPR regulators in the EU fined Marriott £18.4 million ($24 million) in 2020.
Litigation Costs: Numerous lawsuits emerged from affected customers, significantly adding to Marriott's legal expenses and potential settlement costs.
Operational Disruption: Post-breach, Marriott had to spend considerable resources strengthening its cybersecurity infrastructure, disrupting regular business activities.
These outcomes underscore the importance of conducting thorough cybersecurity due diligence to protect against unexpected liabilities and reputational harm.
The Process of Cybersecurity Due Diligence in M&A
Cybersecurity due diligence aims to provide a clear picture of the target company’s security posture, identifying any potential risks that may carry over post-acquisition. Here’s an overview of the process:
Assess the Current Cybersecurity Framework: Begin by reviewing the target company’s existing cybersecurity policies, procedures, and practices. This includes evaluating firewalls, encryption, access controls, and incident response plans.
Identify Past Cyber Incidents: Review whether the target company has experienced any previous breaches or incidents. If they have, it's essential to understand the extent of the damage, how it was handled, and whether the root cause has been adequately addressed.
Evaluate Regulatory Compliance: Check whether the company complies with industry standards and regulations (e.g., GDPR, HIPAA, CCPA). Identify gaps in their compliance that could expose the acquirer to fines or penalties.
Examine Third-Party Risks: Investigate any risks stemming from third-party vendors or partners. Poor security practices within the supply chain can pose serious risks to the acquiring company, even if the target company’s internal cybersecurity appears strong.
Conduct Vulnerability Testing: Hire an external cybersecurity firm to conduct penetration testing and vulnerability assessments. This provides an objective view of the target company’s vulnerabilities and potential exposure.
By following these steps, an acquirer can identify critical cybersecurity risks before the deal is finalized, allowing them to adjust the acquisition price, implement protective measures, or even reconsider the deal.
How to Establish Basic Cybersecurity Due Diligence in M&A
If you're looking for a simplified approach to cybersecurity due diligence, here’s a 5-step plan to follow:
1. Initial Cyber Risk Assessment
Before diving deep, begin with a high-level assessment of the target’s cybersecurity maturity. Look at governance frameworks, policies, and procedures that cover risk management, data protection, and incident response. This step sets the stage for identifying gaps and determining the scope of further due diligence activities.
2. Data Mapping and Protection Review
Understanding what sensitive data the target company holds is crucial. Map out customer, employee, and partner data stored across systems. Then, assess how well this data is protected. Are encryption standards in place? Is data classified and handled according to its sensitivity? This helps you identify where the greatest exposure might lie.
3. Breach and Incident History
Investigate whether the target company has been involved in any cyber incidents or breaches. Review the scope and impact of these incidents, including how the company handled them and whether improvements have been made. This can give a sense of their resilience and whether vulnerabilities may have lingered.
4. Vendor and Supply Chain Risk
Third-party risks can be just as damaging as internal risks. Review the cybersecurity practices of key vendors and suppliers to see if they pose any threats to your acquisition. Breaches originating from third-party vendors can lead to significant exposure, as seen in numerous high-profile cases.
5. Regulatory Compliance and Liability Assessment
Finally, examine the target’s compliance with relevant data protection laws and regulations. Ensure the company meets necessary legal standards, such as GDPR, CCPA, or industry-specific requirements like HIPAA. Failure to comply with these can lead to large fines or lawsuits post-acquisition.
What Happens if Cybersecurity Due Diligence Is Ignored?
If an acquiring company neglects cybersecurity due diligence, they risk inheriting significant problems that could affect their bottom line, operational integrity, and reputation. Beyond financial costs, post-acquisition breach discovery is a common outcome, resulting in crisis management situations that can derail business integration efforts.
In Marriott's case, a failure to uncover the Starwood breach earlier led to increased scrutiny, customer backlash, and compliance challenges. The long-term consequences have been both financial and reputational, underscoring the severe risk of underestimating cybersecurity due diligence.
Cyber risks are now a core business issue, not just an IT problem. Nowadays, cybersecurity due diligence in M&A is as important as financial and legal due diligence. By taking a proactive approach, companies can protect themselves from costly surprises and ensure that the deals they make are truly advantageous.