The recent Marriott International Inc. cybersecurity breach provides an excellent lesson on the importance of strong IT diligence and the consequences of not paying enough attention to it in mergers and acquisitions. The details of the hack thus far indicate cybersecurity gaps during the due diligence process when Marriott merged with Starwood Hotels.
Every company that stores electronic data, has a website that collects data or connects to the outside electronic world is vulnerable. When considering an acquisition transaction, it is essential to conduct cybersecurity diligence on the target company, including drilling down on policies, incident response plans, breaches, security and backup measures and other types of legal diligence. It is also important to get strong cyber representations and warranties, but those are likely subject to the usual limitations. Separate from the legal review, in-house IT experts or external IT vendors should conduct physical and technical IT and cybersecurity diligence on a target’s systems and networks, including testing firewalls. Keep in mind that it is not only customer data that needs to be protected but also data of employees, consultants and suppliers.
While this type of diligence can be can be time consuming and expensive, the benefits far outweigh the risks, as the Marriott hack has exposed. This recent example shows that even very large public companies may not be doing enough.