The Rise of Cyber Due Diligence in Deal-Making
Print issue: January 2021
It was a deal that made Marriott International the owner of the largest hotel chain in the world. In 2015, the company announced that it would buy Starwood Hotels & Resorts Worldwide, Inc., for $12.2 billion—combining the two companies’ 5,500 hotels with 1.1 million rooms worldwide.
But unbeknownst to Marriott, the deal would open up a massive area of liability just a few years down the road when the U.S. Federal Trade Commission (FTC) would fine Marriott for a breach of Starwood’s guest reservation database—which exposed the personal information of up to 500 million people.
“The hotel chain says the breach began in 2014 and anyone who made a reservation at a Starwood property on or before September 10, 2018, could be affected,” according to the FTC’s announcement.
Marriot later clarified in an update in 2019 that approximately 383 million guest records were compromised in the breach—including 20.3 million encrypted passport numbers and 5.25 million unencrypted passport numbers.
Along with the fine from the FTC, the hotel owner was also fined more than £99 million ($130 million) by the United Kingdom’s Information Commissioner’s Office for the breach; the commissioner’s office has since reduced the fine to £18.4 million ($25 million) because of the COVID-19 pandemic.
Additionally, Marriott has faced a slew of legal complaints related to its handling of the breach. One of the largest is a class action lawsuit brought by two members of Starwood’s—and now Marriott’s—customer loyalty program on behalf of all victims of the breach.
“It is particularly egregious that Marriott did not discover this serious data breach during the course of its due diligence efforts in conjunction with its 2016 Starwood acquisition,” said Amy Keller, partner at DiCello Levitt and co-lead counsel on the suit. “Marriott seems to forget that part of being in the customer service business includes actually taking care of its customers. Through this lawsuit, we intend to ensure that it never forgets that again.”
And while those efforts are focused on ensuring that Marriott learns from previous mistakes, recent findings from a Deloitte survey suggest that organizations are taking cybersecurity more seriously during the merger and acquisition (M&A) process—especially when those deals are being made virtually.
In the Future of M&A Trends Survey of 1,000 U.S. corporate merger and acquisition executives and private equity firm professionals, Deloitte found that deal activity in the United States plunged after the World Health Organization declared COVID-19 a pandemic in March 2020. But in April 2020, the situation changed with 60 percent of respondents saying their organizations were more focused on pursuing new deals. Six in 10 survey respondents also said they expected U.S. merger and acquisition activity to return to pre-COVID-19 levels within the next 12 months.
“When it comes to cyber in an M&A world—it’s important to develop cyber threat profiles of prospective targets and portfolio companies to determine the risks,” said Deborah Golden, cyber and strategic risk leader, Deloitte. “CISOs understand how a data breach can negatively impact the valuation and the underlying deal structure itself. Leaving cyber out of that risk picture may lead to not only brand and reputational risk, but also significant and unaccounted remediation costs.”
In practice, this means that organizations are increasingly giving CISOs a seat at the table and making them part of the due diligence process, says Jaime Fox, partner and principal at Deloitte Cyber Risk Services. Fox leads Deloitte’s work on cyber due diligence in strategic acquisitions.
Previously, security representatives were only brought into the deal-making process during the closing aspects so they could focus on integrating the organizations involved, she says. Taking that approach, however, means that organizations might not discover a cyber risk—like the Starwood data breach—before finalizing the deal, opening themselves up to potential liability, higher remediation costs, and more consequences down the line.
Initially, organizations began to transition their approach to cyber due diligence by doing a high-level cybersecurity assessment. This included aspects like looking at a broad threat landscape and overall network security, Fox explains. Before the COVID-19 pandemic hit in early 2020, clients were requesting that cyber be more fully addressed in due diligence.
“Now in a COVID world, we’re seeing deeper dives into what clients are looking at,” she adds. “We see acquirers doing things in terms of threat intelligence and research on the Dark Web to gain a greater understanding around things like leaked user credentials for sale. It’s very encouraging to see…and helps the CISO frame the mind-set: ‘This is the house I’m about to buy. These are the things I’ve uncovered. This is what my remediation costs are going to be.’”
These deep dives include creating a cyber playbook that defines the areas the parties want to cover in their due diligence process, including threat intelligence, Dark Web research, cyber reconnaissance, and assessments of network flows to identify potentially suspicious traffic. Some also choose to engage in penetration testing.
“Oftentimes the target will approve doing something like that—sometimes they won’t,” Fox says. “It’s very encouraging to see clients and acquirers push to get this type of information. It really helps to home in on their top 10 questions—after they’ve gathered this intelligence, they can go to the target and gain a better understanding of what they’ve found.”
This was on display, for instance, when Verizon reduced its offer to acquire Yahoo! by $350 million after Yahoo! disclosed two major breaches. And the portion of Yahoo! that was not part of the Verizon deal agreed to assume 50 percent of the liability related to any future lawsuits stemming from the breaches, according to analysis from PricewaterhouseCoopers (PwC), When Cyber Threatens M&A.
“This isn’t an issue for only tech companies. Cyber threats have spread to industries that weren’t targeted earlier in the digital age; restaurant chains, for example, can be attacked for the customer information—either credit card numbers or information from their loyalty programs,” PwC said. “Furthermore, the goal of a cyberattack can be more than a simple data grab. Consider a pharmaceutical company’s formula for a drug, a manufacturer’s product design, or a distribution company’s transportation model. All of that is intellectual property that can be a crucial part of a deal’s value.”
These threats raise the risks for acquirers looking to make a deal—and make their potential acquisitions a more lucrative target during the integration process—but do not tend to push them away from the table.
“While cyber threats are more prevalent, it’s still rare for a breach or other issue to harm a transaction to the point that an acquirer completely walks away; delaying the transaction is a more common result,” according to PwC. “Yet delays, added costs, and questions about a target’s value all have consequences for the deal process. To avoid such damage, acquirers need to understand the cyber risks of the target so they can limit surprises, model appropriately, and ensure a reasonable transaction.”
This is key, Fox adds, because discovering this information sooner in the process will allow acquirers to negotiate better terms.
“Right off the bat we tell our clients that going through this process sooner is only going to help you in the end,” she says. “Understanding the impact of security breaches, controls around customer data, and arming them with information around how it’s important to understand the entity you’re about to buy…when you present it from a risk perspective, you show that these are things we should be able to quantify.”
There’s also a renewed focus on cybersecurity as many of the mergers and acquisitions happening today are being done virtually. Eighty-seven percent of respondents to Deloitte’s survey said their organizations have effectively managed a deal in a purely virtual environment, and more than 55 percent said they anticipate virtual deal-making will be the preferred platform even after the pandemic.