On Friday, November 30th, Marriott International announced what could be one of the largest data breaches in history. Over 500 million guests’ personal data, ranging from names to passport numbers to birth dates, had been compromised over four years. Specifically, the cybercriminals accessed the Starwood reservation database - Starwood hotels merged with Marriott in 2016.
While a breach of this size is unique, the situation is all too familiar. We saw in March that UnderArmour acquiree MyFitnessPal had over 150M users’ data compromised, causing UnderArmour’s stock to plummet. FedEx subsidiary TNT Express also was the victim of an attack, but FedEx was the one to feel the financial impact.
While it may not be the strategy of the cybercriminals to infiltrate potential acquisition targets, the trojan horse impact for these large acquiring enterprises can ripple for years after the acquisition.
The need for transparent cybersecurity reporting
During an M&A deal, the primary focus of the acquirer is the financial solvency of the organization. To investors, cash flow is still the currency in a deal. We live in a world, though, where information and data are just as important as cash flow. Specifically, the security protecting that data needs to be just as critical to an M&A conversation as the financial status of the acquiree.
For many organizations that still use spreadsheets, articulating the status of the security program in an effective and time-efficient manner to non-technical investors and stakeholders is nigh impossible.
CISO’s will become a critical player in M&A deals
As information security is seen as a critical business function, breaches like Marriott will become cautionary tales for M&A teams. CISO’s will need platforms and solutions that deliver comprehensive reports to summarize their program during an M&A event.
Both the buyer and seller will also need a single-pane-of-glass integrated risk solution that helps combine the two programs after the M&A event.
CISO’s need the tools to report
As we see with too many large organizations, it is too easy to overlook a cybersecurity program when it lives on spreadsheets. The fragmentation that a check-box compliance program has will continue to leave breaches like this undetected. As we’ve seen, the need for an integrated risk management solution is clear from an operational standpoint. What we will start seeing now is an integrated solution being mandated by the board and M&A committees.