Marriott: The Case for Cybersecurity Due Diligence During M&A
If ever there was a perfectly packaged case study on data breaches, it’s Marriott’s recently disclosed megabreach. Last week, the hotel chain announced that its Starwood guest reservation system was hacked in 2014—two years before Marriott purchased Starwood properties, which include the St. Regis, Westin, Sheraton and W Hotels—potentially exposing the personal information of 500 million guests.
The consequences were almost immediate; on the day it announced the breach, Marriott’s stocks were down 5% in early trading and two lawsuits seeking class-action status (one for $12.5 billion in damages) were filed. And the U.S. Senate started to discuss stiffer fines and regulations for security breaches. So far, this is all par for the course.
But what makes Marriott’s breach particularly noteworthy is the obvious lack of cybersecurity due diligence conducted during the M&A process.
Never Ever Skip a Step
In September 2016, Marriott International announced that it had completed the acquisition of Starwood Resorts & Hotels Worldwide, creating the largest hotel company in the world. In its press release, Marriott specifically touted the best-in-class loyalty program that the two brands, combined, could now offer members.
What Marriott International executives didn’t realize was that hackers had gained unauthorized access to Starwood’s loyalty program since 2014, exposing guests’ private information including names, phone numbers, email addresses, passport numbers, dates of birth, credit card numbers and more.
However, if Marriott had done its homework, it might have avoided the mountain of legal fees and compliance fines it now faces. In today’s digital age, cybersecurity due diligence during any M&A process is, without question, imperative.
[You may also like: The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?]
And it’s not just security evangelists like myself who emphasize this. The American Bar Association likewise asserts that “it is critical to understand the nature and significance of a target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.”
The cost of cyberattacks is simply too great to not succeed in mitigating every threat, every time. A successful cyberattack and resulting data breach obliterates trust and destroys brands.
The Only Way Forward
When one company acquires another, it doesn’t just acquire assets. It also assumes the target company’s risks. Put simply, their gaps become your gaps.
In addition, lack of cybersecurity due diligence can actually undermine the value drivers of the deal. In Marriotts’ case, a big driver was retention of the Starwood high value travelers: the people who make up the loyalty program. Due the pain these customers will now endure—changing credit card numbers, passports, etc.—this value driver has been irrevocably damaged.
It is critical that organizations incorporate cybersecurity into every fabric of the business, from the C-level to IT. Securing digital assets can no longer by delegated solely to the IT department; it must be infused into product and service offerings, security, and perhaps most importantly, development plans and business initiatives. In the case of Marriott, its $13 billion acquisition of Starwood represented a strategic initiative that involved the board of directors, C-level executives and management—all of whom are now partially responsible for the erosion of Marriott’s brand affinity.
[You may also like: Why Cyber-Security Is Critical to The Loyalty of Your Most Valued Customers]
And as we’ve written before, when it comes to loyalty programs, security must transition from the domain of reactive disaster recovery and business continuity into the realm of proactive protection. If loyalty programs are designed to focus on your most valuable customers, why wouldn’t its security fall in line with the other mission-critical assets and infrastructure responsible for servicing these very clients?
Marriott’s Starwood breach is an unfortunate case study for why CEO and executive teams must lead the way in setting the tone when it comes to securing the customer experience. When cybersecurity is overlooked or treated as an afterthought, the potential damage goes far beyond dollars and cents. Your very reputation is at stake.