Request Demo

Corporate Compliance and Oversight

Marriott Breach Points To Issue In Security Reporting In M&A Deals


On Friday, November 30th, Marriott International announced what could be one of the largest data breaches in history. Over 500 million guests’ personal data, ranging from names to passport numbers to birth dates, had been compromised over four years. Specifically, the cybercriminals accessed the Starwood reservation database - Starwood hotels merged with Marriott in 2016.

While a breach of this size is unique, the situation is all too familiar. We saw in March that UnderArmour acquiree MyFitnessPal had over 150M users’ data compromised, causing UnderArmour’s stock to plummet. FedEx subsidiary TNT Express also was the victim of an attack, but FedEx was the one to feel the financial impact.

While it may not be the strategy of the cybercriminals to infiltrate potential acquisition targets, the trojan horse impact for these large acquiring enterprises can ripple for years after the acquisition.

The need for transparent cybersecurity reporting

During an M&A deal, the primary focus of the acquirer is the financial solvency of the organization. To investors, cash flow is still the currency in a deal. We live in a world, though, where information and data are just as important as cash flow. Specifically, the security protecting that data needs to be just as critical to an M&A conversation as the financial status of the acquiree.

For many organizations that still use spreadsheets, articulating the status of the security program in an effective and time-efficient manner to non-technical investors and stakeholders is nigh impossible.

CISO’s will become a critical player in M&A deals

As information security is seen as a critical business function, breaches like Marriott will become cautionary tales for M&A teams. CISO’s will need platforms and solutions that deliver comprehensive reports to summarize their program during an M&A event.

Both the buyer and seller will also need a single-pane-of-glass integrated risk solution that helps combine the two programs after the M&A event.

CISO’s need the tools to report

As we see with too many large organizations, it is too easy to overlook a cybersecurity program when it lives on spreadsheets. The fragmentation that a check-box compliance program has will continue to leave breaches like this undetected. As we’ve seen, the need for an integrated risk management solution is clear from an operational standpoint. What we will start seeing now is an integrated solution being mandated by the board and M&A committees.

You may also like

CyberSaint at RSAC 2019
on March 7, 2019

Day two of RSA and booth number 1641 is bustling. In fact, the entire Expo Hall is awash with new product announcements, compelling demos, and striking amounts of swag. The ...

Becoming Better At RSA
on February 28, 2019

Next Monday marks the start of RSA Conference 2019, where a projected 50,000 vendors and practitioners will descend on the Moscone Center in San Francisco. The theme for the ...

Digital Risk Redefines Enterprise ...
on February 26, 2019

For information leaders today, there is increasing interest from non-technical parties - from the legal team to the Board - in the ongoing question “are we secure”. The challenge ...

DFARS Cybersecurity Audits: What ...
on February 21, 2019

It’s getting real – the government is moving from self-reported compliance to external audits of a company’s cybersecurity posture: drilling deep to evaluate that company ...

Risk Quantification: It's Not ...
on February 19, 2019

Many vendors and organizations alike see opportunity in the nebulous realm of risk quantification. As we’ve seen before, risk quantification is nothing new to the world - dating ...

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux