In 2018, when exposed that unauthorized cybercriminals had been accessing millions of Starwood’s guests’ data since 2014, Marriott had to bear the brunt of the breach. Why? Marriott acquired Starwood back in 2016, and while this meant inheriting more hotels, it also meant inheriting Starwood’s cyber risks. So, despite the attack being initiated two years before the acquisition, it was Marriott’s responsibility to accurately assess Starwood’s cyber posture prior to integration. Failure to do so means that any cyber incident that occurs post-acquisition falls on the acquiring company. This incident is one of many that demonstrate the cybersecurity blind spot of the Mergers and Acquisitions (M&A) process.
COVID-19 has had a financial impact on almost all organizations. While this has caused an overall decline in M&A, many companies were forced to merge with, or be acquired by, another enterprise to remain in business. Hence, the cybersecurity risks of M&A remain prevalent and are only going to increase as the world recovers (financially, physically, mentally, you name it) from COVID and begins to engage in more M&A.Download Case Study