The Importance of Transitional Due Diligence During Acquisitions

Posted by Kelly Konya on Jan 24, 2019 12:54:00 PM
Kelly Konya

As the facts of the latest major data breach were revealed—this time, affecting some 500 million customers at the Marriott International-owned Starwood hotel chain—cyber security experts contemplated how the rupture could have been avoided.

In the same vein, consumers affected by the breach are looking to these experts for answers and, ultimately, for solutions that can prevent this type of widespread lapse from happening to their personal data again.

In this instance, Marriot’s shortcomings began far before the announcement of the breach, and even before Marriot and Starwood were one in the same. Prior to acquiring the Starwood brand, Marriot failed to include an effective cybersecurity review in their due diligence process. This is an often-overlooked aspect during the processes of assessing risk and measuring a company’s value before closing an acquisition deal.

While the compromised information from the Marriott breach included typical data of corporate breaches, such as emails, names and addresses, the investigation is still ongoing. The breach is one of the largest lapses to date, comparable only to the 2017 breach of 500 million Yahoo accounts, which resulted in Verizon negotiating a $350 million price drop in their acquisition of Yahoo.

So, what lessons can be learned from the Marriott breach?

Lesson One: Include Cybersecurity Before Closing

Understanding an acquisition’s cybersecurity program should always come before the deal is closed. Security professionals from both entities must meet, collaborate and work toward a shared, thorough understanding of the company’s cyber defenses in order to ensure the transition is effective.

Otherwise, renegotiating a contract that has been impacted by a breach post-deal is considerably harder than before. Negotiations should be entered with a clear risk profile and plan of action. This will not only help with factoring the cybersecurity risk profile, but it will also aid in transitioning the new company to the parent company’s security procedures.

Lesson Two: Pay Attention to How Data is Managed and Compliance is Maintained

Already, a heightened awareness of the risks associated with personal data is commonplace. Increasingly strict notification and data security laws, such as the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 and Canada’s Personal Information Protection and Electronic Documents Act, mandate greater attention to handling consumer data, even threatening to bestow serious penalties to companies that fail to observe the regulations.

Though the hospitality industry is a regular target for attacks, not all organizations know to prioritize the management of customer data. It is critical to remain diligent in securing customer data, taking action prior to a deal, instead of waiting until a breach happens and reacting. Implementing a detailed transition plan for the migration of data post-deal is paramount to lowering the exposure of the purchasing entity.

After conducting a risk assessment, precautionary strategies can be developed, such as installing data management processes that deliver a comprehensive understanding of the data flows and data estate.

Lesson Three: Implement or Improve Upon Existing Incident Response Strategies

In addition to focusing on data management, incident response plans, policies and procedures must be in place and underpinned by the training of all stakeholders. If an organization houses data, it is not a matter of if a security lapse will happen, but when. While you may not confront a high-profile cyber-attack, information can become compromised for many different reasons.

This is why it is critical for employees to be aware of and encouraged to report anomalous behavior. In the case of the Marriott breach, the hotel chain learned that there had been unauthorized access to the Starwood network since 2014. In theory, this fact should have been recognized during a due diligence risk assessment.

Lesson Four: Develop a Communications Plan

The United States does not share the same GDPR rules for reporting a breach, which requires a maximum of 72 hours for informing customers. This gives U.S. companies more time to prepare their customer service strategies and responses before the evidence of the breach is made public. This also applies to organization’s undertaking the mergers and acquisitions process, who might be hesitant to disclose a recent breach for fear of devaluing their organization.

Until organizations are held responsible for data lapses, these types of breaches will continue to occur. Without effective security automation processes, data management and incident response strategies, personal information is at risk on a large scale. Being able to classify data and safeguard against the most pervasive data vulnerabilities is the only way organizations can combat these types of high-profile attacks.

Lesson Five: Continuously Monitor and Assess Partners and Suppliers

Due diligence should never end at the point of acquiring a new subsidiary or supplier. Rather, a an organization’s subsidiaries and vendors should come under continuous scrutiny, particularly if they house or process sensitive data.

In being consistently assessed, vendors should be held accountable for their cybersecurity risk profile. Gauging both the greatest vulnerabilities of the organization and of all of the subsidiaries involved will lead to a more robust security program over the long term.

Combatting high-profile cyber-attacks is no easy feat, but by taking the necessary precautions and doing the proper due diligence activities during a transition, companies can effectively safeguard their most sensitive data.

SubRosa Cyber Solutions can assist organizations of all sizes in assessing and developing a strategic incident response plan, augmenting security one step further. For more information, visit

Topics: "Cybersecurity", Due Diligence