Merger and Acquisition Use Case

In 2018, when exposed that unauthorized cybercriminals had been accessing millions of Starwood’s guests’ data since 2014, Marriott had to bear the brunt of the breach. Why? Marriott acquired Starwood back in 2016, and while this meant inheriting more hotels, it also meant inheriting Starwood’s cyber risks. So, despite the attack being initiated two years before the acquisition, it was Marriott’s responsibility to accurately assess Starwood’s cyber posture prior to integration. Failure to do so means that any cyber incident that occurs post-acquisition falls on the acquiring company. This incident is one of many that demonstrate the cybersecurity blind spot of the Mergers and Acquisitions (M&A) process.

COVID-19 has had a financial impact on almost all organizations. While this has caused an overall decline in M&A, many companies were forced to merge with, or be acquired by, another enterprise to remain in business. Hence, the cybersecurity risks of M&A remain prevalent and are only going to increase as the world recovers (financially, physically, mentally, you name it) from COVID and begins to engage in more M&A.

Attack Study – Merger and Acquisition Cybersecurity Risks

A report on the cybersecurity risks of M&A by Forescout showed that 62% of organizations agree that they face significant cybersecurity risks when acquiring new companies and that cyber risk is the greatest concern following the acquisition. For the former, cyber risks increase during the process as data and money are being transferred, which puts them in a more vulnerable position to be stolen by malicious cyber actors. More than half of acquiring companies experience a critical cybersecurity issue or incident during the M&A process. As for the latter, any cybersecurity risk associated with the target enterprise (the one being acquired) becomes the responsibility of the acquiring company. Enterprises need to know what they are acquiring – it is not only the company and its products/services but a myriad of other aspects, including cyber risks. Hence, the acquiring company must perform a comprehensive cyber assessment on the target company before integration to account for any cyber risks and to take the necessary actions to mitigate such risks. However, enterprises struggle with a lack of device visibility meaning that both parties struggle to gather the necessary information for an accurate and comprehensive cyber assessment.


Sepio Systems’ Hardware Access Control solution (HAC-1) provides a panacea to the gap in device visibility. As the leader in Rogue Device Mitigation, Sepio’s solution identifies, detects, and handles all peripherals; no device goes unmanaged. This allows for a complete asset inventory of all IT, OT and IoT devices operating on both USB and network interfaces. There is no longer the risk of certain assets going unassessed or missed during inventory. Furthermore, HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known-to-be-vulnerable devices through its extensive built-in threat intelligence database. In doing so, HAC-1 not only detects all managed, unmanaged, and hidden devices operating within the enterprise’s infrastructure, but also reveals devices’ true identity. As such, HAC-1 automates a thorough cyber assessment that continues throughout the entire M&A process. Moreover, the comprehensive policy enforcement mechanism recommends best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware. So, whether the device is present prior to the M&A process, or it is inserted during it, HAC-1 provides organizations with constant, real-time protection that does not just stop post-acquisition. We will be there as long as you will have us; and we are confident you will want us long after the M&A process is over.

Download Case Study