M&Aデューデリジェンス中のサイバーリスク定量化が費用節約の必須ステップ

1453年のコンスタンティノープルの戦いの間、ビザンツ帝国は、敵対するオットマンに対して守備面で明らかに優位でした。それがコンスタンティノープルの城壁です。その壁にもかかわらず、ビザンツ軍は、53日間の包囲攻撃から首都を守ることができませんでした。その理由の一部として、鍵の掛かっていないゲートが一つあったことです。これによりスルタン・モハメッドII世の軍が、境界を突破して都市を征服でき、帝国の崩壊につながったのです。ビザンツ帝国が適切なデューデリジェンスを行いこの一つのゲートを守っていたら、この帝国を救えたかもしれません。

中世の包囲攻撃中の城壁やゲートが重要だったように、城壁とゲートの完全性とともに包囲軍のモチベーションを監視する堅牢なサイバーレビューが今日の合併・買収（M&A）デューデリジェンスにおいても決定的に重要です。M&Aは長いこと、法人の世界で最も複合的で時間的制約のある難しい課題の取引の一つであると考えられてきました。取引の準備として専門家が厳格なデューデリジェンスを行い、あらゆる種類の潜在的リスクを評価して会社価値を導出します。しかしコンスタンティノープルの鍵のないゲートのように、潜在的に高コストとなる対象企業のサイバーの脆弱性は見過ごされがちです。対象企業のサイバーリスク・エクスポージャーを理解するために採用されているほとんどの手法は、時間がかかり、対象組織の複数のレイヤーにアクセスせずに実施することは困難です。こうしたことから、企業の知らないうちに買収対象企業の中にサイバー侵害の可能性が残されます。

対象企業のサイバーリスクのプロファイルは、M&A業務に関わる企業の本質的懸案です。伝統的にサイバーのデューデリジェンスは、対象企業のリスクとコントロールの評価内容をレビューし、情報セキュリティーのプログラムがその評価に使えるかどうかのテストのようなことを行います。この種の評価は典型的なものですが、M&Aプロセスに対する課題を提示します。コントロール面の評価は、決定事項に関する静的見解となる傾向があります。こうした評価は、導入しているコントロールと軽減計画のチェックリストであることが多く、リスク全体の見解ではありません。浸透度テストなどの追加の評価は、早期の評価段階で典型的に実施可能なものよりも多くの時間と労力を要します。M&Aプロセスの時間的制約という性質と、情報漏洩や企業価値の破壊から保護する必要性とのバランスをとるため、企業は、効率的で再現可能なサイバーリスク分析戦略を採る必要があります。

Buying the breach

Marriott International, Neiman Marcus, and Yahoo! all inherited cyber vulnerabilities from companies they acquired.¹ In all three cases, the parent company became liable for the cost of shareholder lawsuits, class-action lawsuits, and U.S. Securities and Exchange Commission (SEC) investigations. Marriott’s acquisition of Starwood stands out in particular as the most value-destroying example, with 500 million consumer records exposed and nearly $200 million in General Data Protection Regulation (GDPR) penalties.

The hotel chain was subject to an additional breach in January 2020, when cybercriminals accessed the records of 5.2 million guests through Marriott’s third-party software.²,³ These attacks underscore the kinds of legal, financial, and reputational damage that can arise when cyber risk is not assessed strategically. In order to mitigate these types of risk events, it is imperative to understand how the cyber breach emerged.

The Starwood-Marriott incident

With 10 renowned brands, including Westin and Sheraton, Starwood was one of the largest hotel companies in the world. Naturally, a high-value global franchise like Starwood received bids in 2016 from both Marriott International and China’s Anbang Insurance Group.⁴ When Anbang withdrew, Marriott was left to purchase Starwood for $13.6 billion.⁵ When asked about risk during a shareholder conference call, Marriott’s CEO, Arne Sorenson stated,

It appears that Sorenson did not fully assess cyber as a significant nonfinancial risk. Marriott’s 2016 10-K acknowledges that “cyberattacks could have a disruptive effect on [Marriott’s] business,” but lists only cyber and privacy liability insurance as a method of protection against data breaches.⁷ Validating that a target has an in-force cyber policy is not sufficient due diligence.

In September 2018, two years after Marriott’s acquisition of Starwood, Starwood’s 2014 breach was finally detected. Because Starwood’s servers had already been incorporated into Marriott’s systems, an unauthorized party was able to access sensitive customer information.⁸ Marriott’s data breach was one of the largest data breaches ever disclosed, exposing records of 383 million guests, 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment cards, and 385,000 valid card numbers.⁹ And while some of this information was encrypted, that does not necessarily mean it is immune to decryption. For instance, the cryptographic keys used to encrypt credit card numbers were stored on the same server. With the keys in hand, the attackers can easily decrypt the card numbers.¹⁰

Magnitude of a breach

When a company acquires another firm, it is also acquiring all of that firm’s cyber decisions to date. As unfortunate as the Marriott breach was, it did not grind business to a halt. It was a data breach that resulted in large losses and legal costs, but Marriott was still operational during the breach. During the 2017 NotPetya attack, Maersk, the world’s largest shipper, was barely able to operate for at least 10 days. While the impact on Marriott was significant, there have been instances where damage has been worse, and had the potential to cripple the company.

Mitigating cyber risk to prevent financial losses

The potential financial losses when a firm “buys a breach” can wipe out the gains from an acquisition. This makes early analysis of the target’s cyber risk not only critical from a security standpoint, but from a cost-savings standpoint as well. The transaction team may view cyber risk as a tollgate: should the pursuit continue? In order to answer this question, a representative cyber assessment must have the ability to assess a target’s risk with minimal customization. Given the binding time and resource constraints inherent in the due diligence process, the cyber due diligence process must have the following elements:

• The ability to quickly determine if there is too much risk to proceed.
• A model calibrated with data that is readily available and provides indications around the cyber risk consequences of proceeding.
• To be efficient and repeatable, the model should be complex enough to be realistic, but simple enough to be understood. For a solution to work, it needs to account for the interconnected paths that a risk could take to drive a financial loss. This landscape must include both internal decisions that can be measured with the obtainable data, as well as a view of how cyber threats (e.g., state actors, cyber criminals, hackers, etc.) view the firm and the industry.
• A collection of external data to analyze cyber threats, which can continue agnostic to the particular target that will be evaluated. Making this an ongoing process can speed the due diligence timeline

With an understanding of the vulnerabilities of a target company and potential actions from cyber threats, a firm engaging in M&A can quickly use available firm information, dark web data, and external threat data to see whether the target is in an elevated cyber risk category and more due diligence is needed. By adding these types of cyber risk solutions to the due diligence process, firms can prevent falling the way of Constantinople.

¹Trope, R. & Smedinghoff, T. (September 28, 2017). The Importance of Cybersecurity Due Diligence in M&A Transactions. American Bar Association. Retrieved October 7, 2020, from https://www.americanbar.org/groups/business_law/publications/blt/2017/09/04_trope/.

²See the Marriott website at https://mysupport.marriott.com/.

³Zorz, Z. (April 1, 2020). Marriott International 2020 data breach: 5.2 million customers affected. Help Net Security. Retrieved October 7, 2020, from https://www.helpnetsecurity.com/2020/04/01/marriott-data-breach-2020/.

⁴Clampet, J. (March 14, 2016). Starwood gets takeover bid by consortium led by Chinese firm Anbang. Skift. Retrieved October 7, 2020, from https://skift.com/2016/03/14/starwood-gets-new-takeover-bid-by-consortium-led-by-chinese-firm-anbang/.

⁵Ting, D. (March 31, 2016). Starwood Hotels bidder Anbang walks away, leaves door open for Marriott. Skift. Retrieved October 7, 2020, from https://skift.com/2016/03/31/starwood-hotels-bidder-anbang-walks-away-leaves-door-open-for-marriott/.

⁶Marriott International and Starwood Hotels & Resorts Worldwide Conference Call Transcript, November 16, 2015. Retrieved October 7, 2020, from https://marriott.gcs-web.com/static-files/3c78a80d-655b-49f9-a7db-200fbb3d23c3.

⁷See the full SEC report at https://marriott.gcs-web.com/node/25831/html.

⁸Senate Committee on Homeland Security and Governmental Affairs (March 7, 2019). Testimony of Arne Sorenson, President & CEO, Marriott International. Retrieved October 7, 2020, from https://www.hsgac.senate.gov/imo/media/doc/Soresnson%20Testimony.pdf.

⁹Hotel News Now (November 30, 2018). Marriott hit by hotel industry’s largest data breach. Retrieved October 7, 2020, from https://www.hotelnewsnow.com/Articles/291683/Marriott-hit-by-hotel-industrys-largest-data-breach.

¹⁰Fruhlinger, J. (February 12, 2020). Marriott data breach FAQ: How did it happen and what was the impact? CSO. Retrieved October 7, 2020, from https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html.