Cyber Security due diligence is now a key step in your M&A strategy

Marriot International Inc (Marriot) acquired Starwood Hotels & Resorts Inc (Starwood) in 2016 for c$13.6bn unaware that Starwood’s guest booking system was unsecure.

In 2014, before the acquisition took place, Starwood’s guest booking system suffered a cyber-attack affecting 339 million guests’ personal data (such as names, phone numbers, email addresses, passport numbers, loyalty membership numbers and arrival and departure details). Seven million of those records related to people in the UK.

The attack remained undetected until 2018 (long after Marriot had acquired Starwood).

The precise number of guests affected remains unknown as individual guests may have had multiple records.

Following Marriot’s acquisition of Starwood and once the attack had become public, the Information Commissioner’s Office (ICO) carried out a formal investigation. The ICO concluded that Marriot had not put appropriate “technical or organisation measures in place to protect the personal data being processed on its systems”. The ICO fined Marriot £18.4m.

Thirty-nine per cent of businesses, and 26% of charities, reported cyber security breaches or attacks in the 12 months before 21 March 2021 (according to The Department for Digital, Culture, Media & Sport Cyber Security Breaches Survey 2021).

Twenty-one per cent of those business, and 18% of those charities, ended up losing money, data or other assets.

The graph below shows the increase in reported cyber security incidents between the years 2019 to 2022.

The financial risks of cyber-crime are significant and continue to grow. According to the Metropolitan Police, cyber-crime has now overtaken real world crime.

Source: ICO Data Security Incident Trends

What impact could a cyber-attack have on your business?

As cyber security risks for business increase, cyber security merger and acquisition (M&A) due diligence will become more important as part of the overall diligence landscape. Cyber security breaches in a target business can result in, for example, the following:

• Business interruption through IT systems suffering down time
• A brands reputation incurring long term damage (including trust in the target business’s brand)
• Loss of revenue and customers
• Loss of competitive data
• Costs of carrying out remedial action, legal claims and improving cyber security

The COVID-19 pandemic has also dramatically altered the way businesses operate with the biggest change being the huge number of staff now working from home. This has increased businesses’ cyber-risks and increased the opportunities available to cybercriminals looking to exploit cyber security weaknesses.

Cyber-attacks can materially damage businesses. Attacks have included intellectual property theft and phishing and ransomware attacks.

The ICO is now clamping down on businesses which do not adequately protect their data and, as with the Marriot case, the ICO has the potential to issue huge fines.

Cyber security due diligence

Given the ICO’s clampdown and increasing cyber-risks, there is a growing need for cyber security diligence to be carried out as part of a buyer’s overall M&A investigations into a target business. Consequently, given that the value of a target business can be impaired by cyber security weaknesses and data vulnerability, it is essential for business leaders to now consider it as part of the M&A diligence landscape.

Areas that you should consider in carrying out such diligence are:

• Breach history
• The value of a target business’s data – in order to consider the target business’s overall value
• Cyber security audit / penetration testing (including potentially doing the same for a target business’s suppliers)
• What data protection measures have been implemented
• Disaster recovery and business continuity plans
• Industry specific data regulation compliance
• Search of the dark web to find out if there is evidence of a cyber-security breach – for example, any offer for the sale of client / customer personal data

In light of ever growing cyber security risks, a buyer will need to consider the extent of its cyber security due diligence and its overall importance to its acquisition diligence.  Seller and target businesses may also want to health check their cyber security protection and policies before sale. Cyber security is also not just an area that should be considered in the context of M&A – funders may also want to carry out cyber security due diligence, and businesses looking for additional or new funding should also consider carrying out cyber security health checks in advance.

At Blake Morgan we act for business seeking to raise funds as well as buyers and sellers of tech businesses or businesses that heavily rely upon data.

If you are considering an acquisition or about to raise funds or invest, contact Blake Morgan’s technology team to discuss what level of cyber security due diligence should be considered.