On 30 October 2020 the Information Commissioner's Office (ICO) issued a penalty notice against Marriott International Inc (Marriott) in which Marriott was fined £22.4 million for infringements of the General Data Protection Regulation (the GDPR).
The cyber-attack occurred in 2014 on Starwood Hotels and Resorts Worldwide Inc's (Starwood) reservation database prior to Marriott's acquisition of Starwood. The fine illustrates the importance of carrying out thorough cyber due diligence when acquiring a business and to continue monitoring to ensure compliance post acquisition.
The ICO penalty notice referred to the acquisition by Marriott of the Starwood hotel chain in September 2016 and also that Marriott was only able to carry out limited due diligence on the Starwood data processing systems and databases.
Whilst the ICO did not determine whether or not it was possible for Marriott to conduct due diligence during the takeover and the decision related solely to Marriott's failures after 25 May 2018, it noted that "even if adequate due diligence had been undertaken at the point of acquisition, that would not have removed Marriott's obligation to ensure, on a continuing basis, that it complied with the GDPR". Marriott's failure to implement appropriate security measures in relation to the systems it acquired from Starwood was a key conclusion of the ICO.
Buyers use the due diligence process on an acquisition to gather information about the target company or business that is being sold to assess the risks of the acquisition and to seek contractual protections from the seller.
All businesses are dependent on computer systems, data processing systems and databases and accordingly cyber due diligence is essential on any acquisition to identify vulnerabilities and the damage that may occur or may have occurred as a result of a breach. Cybersecurity should be treated as a risk category in its own right.
Our recent whitepaper on enhancing cyber resilience identified that 60% of SMEs who were victims of cyber-attacks did not recover and closed within 6 months. Cyber-attacks present a huge risk to the value of companies.
Cyber due diligence would focus on the following areas (amongst others):
- Identify the target’s history and assess its incident-response capabilities – for example, have there been any major security incidents or data breaches, implications such as regulatory fines and how did the target organisation deal with any incidents. Has a dark web search been conducted for signs of a breach such as personal data being offered for sale?;
- Audit of the target's privacy and cybersecurity protocols and compliance with industry specific regulation – is the target in compliance with its own policies and regulatory obligations and has an evaluation of the risks posed by non-compliance been undertaken?;
- Risk assessment across the target's supply chain – what data do suppliers need to access and the risks associated with these relationships? Suppliers have access to confidential and sensitive data in order to facilitate the provision of services. If not adequate and monitored, an organisation's supply chain can act as an open door for hackers to infiltrate systems;
- Evaluation of the target's and its suppliers' ability to withstand a cyber-attack by conducting penetration testing; and
- Evaluation of the contractual matrix – how does the target deal with data protection and cyber security in its contracts. are minimum security measures set for suppliers in the contracts of supply and is there an ability to audit supplier security arrangements?
There will of course be limitations and challenges to conducting such due diligence such as lack of support from the target organisation, speed of the transaction and confidentiality of the acquisition. Following the acquisition and pre-integration, further analysis should be undertaken to evaluate risks.
Regardless, this is an area of concern which all boards should be aware of, and which should be given some serious thought. If you would like to discuss any of the issues highlighted in this article, please do not hesitate to contact one of our cyber team who would be happy to discuss these further.