Quantifying cyber risk during M&A due diligence is a necessary money-saving step

During the Battle of Constantinople in 1453, the Byzantine Empire had a clear defensive advantage over its Ottoman opponents: the Wall of Constantinople. Despite the wall, the Byzantine forces were unable to defend their capital during the 53-day siege, in part due to a single unlocked gate. This allowed Sultan Mehmed II’s forces to breach the perimeter and conquer the city, leading to the collapse of the empire. Had the Byzantines conducted proper due diligence and secured this single gate, they might have saved their empire!

As critical as walls and gates were during a medieval siege, a robust cyber review that looks at both the integrity of walls and gates as well as the motivation of the siege force is critically important for today’s mergers and acquisitions (M&A) due diligence. M&A has long been considered one of the most complex, time-sensitive, and challenging transactions in the corporate world. In preparation for a transaction, professionals execute rigorous due diligence processes, assessing all kinds of potential risks to derive the valuation. However, like Constantinople’s unlocked gate, potential high-cost cyber vulnerabilities at target companies are often overlooked. Most methods employed to understand a target company’s cyber risk exposure are time-consuming and difficult to perform without access to several layers of the target organization. This leaves the potential for firms to unknowingly acquire cyber breaches with their purchases.

The cyber risk profile for a target should be a fundamental concern for firms engaged in M&A activity. Traditionally, cyber due diligence consists of reviewing a target’s risk and controls assessments and conducting the type of testing that an information security program would use to assess itself. While these types of assessments are typical, they present challenges for the M&A process. Controls assessments tend to be a static view of decisions. The assessments are often a checklist of the controls and mitigation plans that are in place and not a view of the overall risk. Additional evaluations, such as penetration testing, require more time and effort than can typically be completed during an early assessment. To balance the time-sensitive nature of the M&A process with the need to protect against acquiring a breach and destroying value, firms need to employ an efficient and repeatable cyber risk analysis strategy.

Buying the breach

Marriott International, Neiman Marcus, and Yahoo! all inherited cyber vulnerabilities from companies they acquired.¹ In all three cases, the parent company became liable for the cost of shareholder lawsuits, class-action lawsuits, and U.S. Securities and Exchange Commission (SEC) investigations. Marriott’s acquisition of Starwood stands out in particular as the most value-destroying example, with 500 million consumer records exposed and nearly $200 million in General Data Protection Regulation (GDPR) penalties.

The hotel chain was subject to an additional breach in January 2020, when cybercriminals accessed the records of 5.2 million guests through Marriott’s third-party software.²,³ These attacks underscore the kinds of legal, financial, and reputational damage that can arise when cyber risk is not assessed strategically. In order to mitigate these types of risk events, it is imperative to understand how the cyber breach emerged.

The Starwood-Marriott incident

With 10 renowned brands, including Westin and Sheraton, Starwood was one of the largest hotel companies in the world. Naturally, a high-value global franchise like Starwood received bids in 2016 from both Marriott International and China’s Anbang Insurance Group.⁴ When Anbang withdrew, Marriott was left to purchase Starwood for $13.6 billion.⁵ When asked about risk during a shareholder conference call, Marriott’s CEO, Arne Sorenson stated,

It appears that Sorenson did not fully assess cyber as a significant nonfinancial risk. Marriott’s 2016 10-K acknowledges that “cyberattacks could have a disruptive effect on [Marriott’s] business,” but lists only cyber and privacy liability insurance as a method of protection against data breaches.⁷ Validating that a target has an in-force cyber policy is not sufficient due diligence.

In September 2018, two years after Marriott’s acquisition of Starwood, Starwood’s 2014 breach was finally detected. Because Starwood’s servers had already been incorporated into Marriott’s systems, an unauthorized party was able to access sensitive customer information.⁸ Marriott’s data breach was one of the largest data breaches ever disclosed, exposing records of 383 million guests, 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment cards, and 385,000 valid card numbers.⁹ And while some of this information was encrypted, that does not necessarily mean it is immune to decryption. For instance, the cryptographic keys used to encrypt credit card numbers were stored on the same server. With the keys in hand, the attackers can easily decrypt the card numbers.¹⁰

Magnitude of a breach

When a company acquires another firm, it is also acquiring all of that firm’s cyber decisions to date. As unfortunate as the Marriott breach was, it did not grind business to a halt. It was a data breach that resulted in large losses and legal costs, but Marriott was still operational during the breach. During the 2017 NotPetya attack, Maersk, the world’s largest shipper, was barely able to operate for at least 10 days. While the impact on Marriott was significant, there have been instances where damage has been worse, and had the potential to cripple the company.

Mitigating cyber risk to prevent financial losses

The potential financial losses when a firm “buys a breach” can wipe out the gains from an acquisition. This makes early analysis of the target’s cyber risk not only critical from a security standpoint, but from a cost-savings standpoint as well. The transaction team may view cyber risk as a tollgate: should the pursuit continue? In order to answer this question, a representative cyber assessment must have the ability to assess a target’s risk with minimal customization. Given the binding time and resource constraints inherent in the due diligence process, the cyber due diligence process must have the following elements:

• The ability to quickly determine if there is too much risk to proceed.
• A model calibrated with data that is readily available and provides indications around the cyber risk consequences of proceeding.
• To be efficient and repeatable, the model should be complex enough to be realistic, but simple enough to be understood. For a solution to work, it needs to account for the interconnected paths that a risk could take to drive a financial loss. This landscape must include both internal decisions that can be measured with the obtainable data, as well as a view of how cyber threats (e.g., state actors, cyber criminals, hackers, etc.) view the firm and the industry.
• A collection of external data to analyze cyber threats, which can continue agnostic to the particular target that will be evaluated. Making this an ongoing process can speed the due diligence timeline

With an understanding of the vulnerabilities of a target company and potential actions from cyber threats, a firm engaging in M&A can quickly use available firm information, dark web data, and external threat data to see whether the target is in an elevated cyber risk category and more due diligence is needed. By adding these types of cyber risk solutions to the due diligence process, firms can prevent falling the way of Constantinople.

¹Trope, R. & Smedinghoff, T. (September 28, 2017). The Importance of Cybersecurity Due Diligence in M&A Transactions. American Bar Association. Retrieved October 7, 2020, from https://www.americanbar.org/groups/business_law/publications/blt/2017/09/04_trope/.

²See the Marriott website at https://mysupport.marriott.com/.

³Zorz, Z. (April 1, 2020). Marriott International 2020 data breach: 5.2 million customers affected. Help Net Security. Retrieved October 7, 2020, from https://www.helpnetsecurity.com/2020/04/01/marriott-data-breach-2020/.

⁴Clampet, J. (March 14, 2016). Starwood gets takeover bid by consortium led by Chinese firm Anbang. Skift. Retrieved October 7, 2020, from https://skift.com/2016/03/14/starwood-gets-new-takeover-bid-by-consortium-led-by-chinese-firm-anbang/.

⁵Ting, D. (March 31, 2016). Starwood Hotels bidder Anbang walks away, leaves door open for Marriott. Skift. Retrieved October 7, 2020, from https://skift.com/2016/03/31/starwood-hotels-bidder-anbang-walks-away-leaves-door-open-for-marriott/.

⁶Marriott International and Starwood Hotels & Resorts Worldwide Conference Call Transcript, November 16, 2015. Retrieved October 7, 2020, from https://marriott.gcs-web.com/static-files/3c78a80d-655b-49f9-a7db-200fbb3d23c3.

⁷See the full SEC report at https://marriott.gcs-web.com/node/25831/html.

⁸Senate Committee on Homeland Security and Governmental Affairs (March 7, 2019). Testimony of Arne Sorenson, President & CEO, Marriott International. Retrieved October 7, 2020, from https://www.hsgac.senate.gov/imo/media/doc/Soresnson%20Testimony.pdf.

⁹Hotel News Now (November 30, 2018). Marriott hit by hotel industry’s largest data breach. Retrieved October 7, 2020, from https://www.hotelnewsnow.com/Articles/291683/Marriott-hit-by-hotel-industrys-largest-data-breach.

¹⁰Fruhlinger, J. (February 12, 2020). Marriott data breach FAQ: How did it happen and what was the impact? CSO. Retrieved October 7, 2020, from https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html.