Skip to content
Royalty-free stock photo by Cytonn Photography via Unsplash
Royalty-free stock photo by Cytonn Photography via Unsplash

Blog post -

Are You Evaluating Your Target Acquisition Through the Cyber Security Lens?

By Sourya Biswas, Principal Security Consultant, NCC Group

Caveat emptor, Latin for “Let the buyer beware,” is the principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made. It is traditionally rooted in information asymmetry, where the seller knows of possible shortcomings that the buyer doesn’t. While legal protections, such as binding warranties, can be implemented, it’s still prudent to conduct due diligence to discover issues before the purchase is closed.

This is especially true in the world of mergers and acquisitions (M&A), or more generically the transaction space. Though buyers generally conduct due diligence during any M&A transaction, cyber security considerations often take a backseat to evaluating revenue multipliers, cost synergies, and operating efficiencies. While it’s understandable that the business drivers mentioned above should constitute the evaluation process, underestimating the impact of cyber security (or lack thereof) can have significant ramifications down the road. This moves the discussion from “Let the buyer beware” to “Proceed at your own risk.”

In some cases, the decision to purchase has already been made and the due diligence process becomes an exercise of questionable value. It’s not unknown for a company to make an acquisition just so it’s competitor can’t, or to stifle competition. In such a situation, where revenue and cost concerns are overlooked, cybersecurity may not even make it to the top of mind, let alone be a part of the actual due diligence process.

Much of this may be attributed to the understated role that security plays in business, mainly that it is viewed simply as a cost of doing business and compliance, dismissively categorized as “pay to play.”

This need not be the case; cyber security can and should be a business enabler and the basis for competitive differentiation. Securing information matters, whether it is Personally Identifiable Information (PII) related to consumers, Intellectual Property (IP), or indeed any case where the confidentiality, integrity, and/or availability of information.

The Case of Marriott

Marriott may well have wished they paid more attention to cyber security in their acquisition of Starwood Hotels in 2016. The ensuing breach is an enlightening case study on how security issues from years past can come back and make their presence felt. 

On September 30, 2018, Marriott International, the third largest hotel chain in the world, disclosed a breach of 500 million customer records; these included personally identifiable information (PII) like names, email addresses, phone and passport numbers, and payment card information. Aside from the tangible costs to investigate and remedy the breach and the intangible costs of reputation loss, Marriott now faces a monumental $123 million penalty for GDPR violations. Add that to the potential payouts from several ongoing class action lawsuits and, well, let’s just say it isn’t a situation any company ever wants to be in.

Forensic analysis determined that the Starwood network had actually been compromised as far back as 2014, two years before the acquisition. This begs the obvious question, why didn’t Marriott’s due diligence of Starwood back in 2016 detect something? Even if the breach itself was not detected, adequate cyber security due diligence may have revealed control gaps.

To summarize, as the buyer in an acquisition, you can never be too careful. Or as the ancient saying goes, “caveat emptor.”


Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom