Good cybersecurity plays an important role in mergers and acquisitions. In the major Marriott data scandal in 2018, security was not given sufficient attention in advance.
Mergers & Acquisitions (M & As) offer significant opportunities for companies to achieve rapid growth or gain competitive advantage. These range from the pooling of resources to the diversification of the product and service portfolio, the opening up of new markets to the acquisition of new technologies or specialist knowledge.
Every M&A transaction is associated with a complex and detailed due diligence review, i.e. a careful review of the entire company. Based on the findings from this, it can be estimated how complex it will be to merge with the existing business structures. The smoother the integration processes, the greater the success of the transaction in the end. Traditionally, the M&A exam has primarily focused on finance, legal, business operations, and human resources. With increasingly digital business processes, it is becoming apparent that due diligence should also be carried out in the area of cybersecurity.
2018 Marriott data scandal
A wake-up call in this regard is the 2018 Marriott data scandal, which is a powerful example of the potentially serious repercussions of a failed cybersecurity due diligence review. The acquisition of Starwood Hotels & Resorts by Marriott in 2016 created one of the largest hotel chains in the world. The offer for Marriott and Starwood customers grew to over 5.500 hotels in 100 countries. At the time, however, Marriott had no knowledge that Starwood's IT systems had been compromised in 2014. It was not until November 2018 that Marriott finally discovered that strangers had been accessing the personal data of around 339 million guests worldwide via Starwood's reservation database for years.
The British data protection regulator ICO found in its investigation report that Marriott had not exercised sufficient care in purchasing Starwood and should have done more to secure its systems. Furthermore, a year ago she announced her intention to penalize the hotel chain for this violation of the GDPR with a fine of 99 million pounds.
Digital due diligence requirement
Nowadays, companies of all sizes increasingly rely on cloud-based tools, IoT and digital connection services to serve their customers and handle business processes. As a result, increased connectivity gives cybercriminals more opportunities to launch malicious attacks, steal data, or try to disrupt business operations. Therefore, conducting a detailed cybersecurity review and assessment is vital to uncover critical vulnerabilities that could prove to be deal breakers. It is advisable to use an approach that starts directly with the data and, based on this, evaluates the associated structures and processes:
1. Knowledge of your own systems
First of all, organizations that participate in M&A activities need complete transparency about their own IT systems before they can make a reliable assessment of others. In this way, overarching security guidelines can be created for both structures. This forms the basis for an integration strategy that prevents new weak points from arising when platforms, solutions and services are brought together. A secure IT ecosystem includes the enforcement of granular security guidelines, the encryption of data, real-time protection against data loss, user access controls and continuous monitoring.
2. Inventory of the data stocks
An inventory of all data is the first step necessary to understand what data is being collected, how and where it is being stored, and how long it is being kept before it is disposed of. This enables international companies in particular to gain insights into locally applicable legal requirements and internal regulations. DLP (Data Loss Prevention) functions help identify sensitive and regulatory data patterns that are potentially at risk. Activity logs, which record all user, application, and file activity in detail, are also helpful.
All internal and external cybersecurity audits and assessments should be used to get to the bottom of possible, previously undisclosed data protection violations. They can shed light on the possible weaknesses of the existing security measures and thus help in assessing the risk potential.
3. Development of an integrative security strategy
After determining what data needs to be protected and where it is stored, the next challenge is to understand who has access to the data, what happens to it, and what devices are used to access it. Effective cybersecurity depends on being able to protect all sensitive data within any application, on any device, anywhere. Associated with this is adequate visibility of all endpoints, web destinations, devices and applications - along with access policies that ensure that only authorized users have access to sensitive data.
The detailed evaluation of all IT systems and network endpoints in the company is necessary in order to be able to plan how both units can combine their IT systems and processes and guarantee a smooth business process after the integration. For example, it must be determined how much effort is required to correct existing weaknesses in the security architecture and to make the merged infrastructure resilient to risks.
Reliable IT management as a success factor
A well-organized IT administration ultimately simplifies due diligence procedures for everyone involved and thus forms a success factor in entrepreneurial activity. In order to be able to develop suitable assessment criteria for security and data protection, it is an important prerequisite that companies also meet high standards with their own systems. Otherwise there is a risk that they will integrate their own failures into even larger structures and cause serious damage. A reliably managed IT landscape is therefore in the interests of all companies - both those who want to expand and those who want to attract suitable buyers.
[starboxid=4]