When a Cyber breach occurs, a company is required to disclose and report the extent of the breach, individuals affected and its steps to mitigate exposure to regulators, employees, affected individuals and other stakeholders to an organization.Many companies have an inordinate amount of time to investigate breaches and potential breaches thus exposing affected individuals to even more risk. Equifax realized they were breached on July 29, 2017 but did not report the matter until September 7th. Marriott disclosed their breach on November 30, 2018, however it took three months before revealing they were breached by a bug that should have been disclosed. Additionally, the disclosure revealed their customers data had been available since 2014 when they purchased. The Marriott breach revealed disclosure issues that needed to be seriously addressed.[1] This exposes a risk to any acquiring company of potential hidden risks in an M&A transaction.
The risk associated with the hack came from when Marriott bought out the Starwood chain. That chain had been hacked in 2015 and thought they cleared it, unaware of a second more dangerous virus left behind. They did not disclose this to Marriott in the buyout proceedings.[2]
The Marriott breach specifically revealed disclosure in an M&A transaction. When they purchased Starwood Hotels they had not contemplated this exposure. Further, was there even a requirement on behalf of Starwood to disclose this issue at all. Among the investigation report from this breach, four issues stand out:
- Inadequate Disclosure: Current disclosure rules are at best vague guidelines from the Securities and Exchange Commission (SEC). The SEC doesn’t have specific guidance in place to require any company to disclose a breach, which explains
- Cost Cutting during Mergers: The evidence in the Marriott breach point to the Starwood Hotels systems and not Marriott as the source of the breach as they had a smaller scale hack before being bought out. Consistent with many mergers, most of the top level staff were terminated including those in IT and cyber security. Many suggest that in mergers they should disclose to the buyer if they ever had a breach.
- Better Expertise on Boards: Most boards including Marriott’s have little to no experience on cyber security; hence they have to rely on outside experts. In the future, many are expected to hire those with experience in this.[3]
Companies should be more vigilant in the merger and acquisition process to assess the cyber risk of an acquisition target and the government should continue to enhance legislation and regulation to force companies to disclose all potential breaches and risks in a timely and consistent manner.
[1] https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are
[2] https://www.insurancejournal.com/news/national/2018/12/03/510811.htm
[3] https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are
