Cyber Due Diligence Is the Key to the Success of Mergers and Acquisitions
2019-03-11 10:49 Monday
Marriott International bought the Starwood hotel chain for $13.6 billion in 2016. In November 2018, Marriott notified the public and regulators that the Starwood network had been inbreaked in 2014, exposing at least 500 million customer records to cyber criminals. The news sent Marriott's shares tumbling 5.6%. The company could face huge fines and severe damage to its brand and reputation.
Thorough and reasonable cyber due diligence is an often overlooked but vital step in successful mergers and acquisitions.
When an enterprise makes a merger or acquisition, it should pay attention to the threat of undiscovered or undisclosed security holes. The findings could wreak havoc on the acquiring company once the deal is completed, or on the target company if vulnerabilities are discovered before the deal is completed.
The due diligence process for mergers and acquisitions is extensive and thorough, including finance, leadership, intellectual property, customer base, strategy, assets and partners and supplier contracts. During this important vetting period, a key element of due diligence in mergers and acquisitions is cybersecurity.
A thorough investigation of the security situation of the target company through cyber due diligence can not only help buyers fully understand the risks, but also provide opportunities for the target company. Reducing any vulnerabilities before the acquisition ensures maximum shareholder value and a seamless transition period after the transaction.
Appropriate reviews will verify that the security infrastructure and processes are fully deployed and correctly run as disclosed. It is also important to fully identify and inventory all IT assets.
According to various estimates, 20 to 50% of the data and applications on the enterprise network are unknown or not managed by IT, which carry associated risks that should be reviewed and accepted or mitigated with appropriate controls. When conducting an cyber survey, it is estimated to take 30-45 days to complete the study.
Finally, it is strongly recommended that existing NDA (non-disclosure agreement) be reviewed as part of a merger or acquisition to understand the consequences of enforcement if necessary.