When a Cyber breach occurs, a company is required to disclose and report the extent of the breach, individuals affected and its steps to mitigate exposure to regulators, employees, affected individuals and other stakeholders to an organization.Many companies have an inordinate amount of time to investigate breaches and potential breaches thus exposing affected individuals to even more risk. Equifax realized they were breached on July 29, 2017 but did not report the matter until September 7th. Marriott disclosed their breach on November 30, 2018, however it took three months before revealing they were breached by a bug that should have been disclosed. Additionally, the disclosure revealed their customers data had been available since 2014 when they purchased. The Marriott breach revealed disclosure issues that needed to be seriously addressed.[1] This exposes a risk to any acquiring company of potential hidden risks in an M&A transaction.
The risk associated with the hack came from when Marriott bought out the Starwood chain. That chain had been hacked in 2015 and thought they cleared it, unaware of a second more dangerous virus left behind. They did not disclose this to Marriott in the buyout proceedings.[2]
The Marriott breach specifically revealed disclosure in an M&A transaction. When they purchased Starwood Hotels they had not contemplated this exposure. Further, was there even a requirement on behalf of Starwood to disclose this issue at all. Among the investigation report from this breach, four issues stand out:
Companies should be more vigilant in the merger and acquisition process to assess the cyber risk of an acquisition target and the government should continue to enhance legislation and regulation to force companies to disclose all potential breaches and risks in a timely and consistent manner.
[1] https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are
[2] https://www.insurancejournal.com/news/national/2018/12/03/510811.htm
[3] https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are