Request Demo

Corporate Compliance and Oversight

Marriott Breach Points To Issue In Security Reporting In M&A Deals


On Friday, November 30th, Marriott International announced what could be one of the largest data breaches in history. Over 500 million guests’ personal data, ranging from names to passport numbers to birth dates, had been compromised over four years. Specifically, the cybercriminals accessed the Starwood reservation database - Starwood hotels merged with Marriott in 2016.

While a breach of this size is unique, the situation is all too familiar. We saw in March that UnderArmour acquiree MyFitnessPal had over 150M users’ data compromised, causing UnderArmour’s stock to plummet. FedEx subsidiary TNT Express also was the victim of an attack, but FedEx was the one to feel the financial impact.

While it may not be the strategy of the cybercriminals to infiltrate potential acquisition targets, the trojan horse impact for these large acquiring enterprises can ripple for years after the acquisition.

The need for transparent cybersecurity reporting

During an M&A deal, the primary focus of the acquirer is the financial solvency of the organization. To investors, cash flow is still the currency in a deal. We live in a world, though, where information and data are just as important as cash flow. Specifically, the security protecting that data needs to be just as critical to an M&A conversation as the financial status of the acquiree.

For many organizations that still use spreadsheets, articulating the status of the security program in an effective and time-efficient manner to non-technical investors and stakeholders is nigh impossible.

CISO’s will become a critical player in M&A deals

As information security is seen as a critical business function, breaches like Marriott will become cautionary tales for M&A teams. CISO’s will need platforms and solutions that deliver comprehensive reports to summarize their program during an M&A event.

Both the buyer and seller will also need a single-pane-of-glass integrated risk solution that helps combine the two programs after the M&A event.

CISO’s need the tools to report

As we see with too many large organizations, it is too easy to overlook a cybersecurity program when it lives on spreadsheets. The fragmentation that a check-box compliance program has will continue to leave breaches like this undetected. As we’ve seen, the need for an integrated risk management solution is clear from an operational standpoint. What we will start seeing now is an integrated solution being mandated by the board and M&A committees.

You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...