By Kelly White, CEO of RiskRecon
Mergers and acquisitions are difficult. It’s an exercise in valuation—and determining the assets and liabilities of the acquisition target is a massive undertaking. Amid the frenzy of deadline-driven, confidential due diligence, things get overlooked: no process is perfect, and usually the overlooked elements are simply the price of doing business. Sometimes, though, the overlooked items have the potential for catastrophe—like cyber risk liabilities in the acquired business’ digital infrastructure.
The most recent example of this kind of catastrophe comes from Marriott International and their acquisition of Starwood Hotels and Resorts. In April of 2016, Starwood and Marriott shareholders approved the merger, with both sides of the deal counting themselves fiscally blessed, and all seemed to be well…until Marriott discovered hackers had been accessing Starwood’s guest data since 2014. Marriott’s direct losses due to the breach range between $200 million and $600 million. On the high end, that is nearly 5% of the total Starwood acquisition price.
Verizon’s 2017 acquisition of Yahoo! was also clouded by a massive breach in which 1 billion user accounts were compromised. Fortunately for Verizon, this disclosure was revealed before the acquisition was finalized, enabling Verizon to adjust the acquisition price downward by $350 million to account for the potential breach liability.
These events compel Board members and executives to take steps to mitigate the cyber risk liabilities inherent in their acquisition targets. As we saw from Marriott’s and Verizon’s experience, these liabilities can account for upwards of 7% of the total acquisition cost. Here are some suggestions organizations should consider implementing to help mitigate risk:
Seek to gain an objective understanding of the company’s IT environment and security risk.
Short of an acquisition target lying during the due diligence process, it is incumbent on you to know the IT environment and the security risk of the company you are acquiring. Once that acquisition closes, it is your IT environment to administer and it is your cyber risk to manage.
Knowing the environment and risks beforehand enables you to establish merger costs and potential liabilities with the Board. That knowledge also gives you a lever in acquisition price negotiations. As a very simple example, if the company has 10,000 workstations with no endpoint security, that liability can be factored into the negotiations.
The most reliable information is objectively gathered information. It’s likely that Marriott required Starwood document all known data breaches and system compromise events. Could Marriott have known of the breach prior to the acquisition by conducting deep monitoring of the Starwood network? Perhaps their own evaluation of the information security program would reveal their program was insufficient to prevent, detect, and contain a compromise.
Use cyber risk rating information to objectively understand the acquisition’s IT environment.
M&A due diligence is conducted confidentially so as not to cause harm to either party. But gaining an objective understanding of an organization’s IT landscape is difficult under such constraints. Cyber risk rating tools can help you gain a deep understanding of the company’s internet-facing IT infrastructure, spanning systems, hosting providers, and the geolocation of the systems. Cyber risk rating providers can even give you insight into the software the systems are using.
This information can also give you information about the quality of the acquisition’s IT operations. Are their software stacks compatible with your environment? Does the environment appear to be well managed, with system hosting consolidated into a small number of reputable hosting providers? If the system hasn’t been managed well, use that to your advantage during the negotiation process.
Investigate how well your acquisition is inventorying and managing their digital systems.
Compare the list of systems you “discover” with the company’s asset inventory to assess the completeness of their records. Organizations that manage IT well will have records for all but a few of their internet-facing systems. Be very suspicious of the IT and security operations of a company that cannot account for their systems well. You can’t protect something if you don’t know it exists.
Objectively assess the information security posture.
Of course, it is essential that you assess the quality of the company’s information security. In evaluating the enterprise’s information security, understand the completeness of their investments across people, processes, and technology. But don’t stop there—objectively understand how well they implement and operate their information security investments. In doing so, leverage a framework such as the NIST Cyber Security Framework, which provides a broad breadth of assessment criteria across the essential categories of identify, protect, respond, and recover.
Cyber risk rating providers can help you with assessing these categories. In addition to enabling you to assess how well organizations formally track their systems, you can passively assess the security risk of internet-facing systems across multiple security domains spanning 39 security criteria, giving you visibility into areas such as software patching, web encryption, email security, and so forth. You can leverage the objective cyber risk assessment insight to inform M&A information security discussions. For example, a high rate of web encryption issues in sensitive systems may facilitate your deeper dive into web application security practices. A prevalence of important software patching issues in sensitive systems may facilitate discussions and further testing of the vulnerability management program.
Carve out holdbacks for pre-existing cybersecurity breaches.
Despite your best efforts to understand the cyber liabilities in your acquisition target, it is difficult to gain 100% certainty, particularly for large enterprises. Even pending liabilities from a known breach are difficult to quantify. Verizon addressed this risk by requiring that Yahoo! split the legal and regulatory liabilities 50/50 in addition to reducing the acquisition price by nearly 7% ($350 million). It was a wise decision: in October 2017, after the acquisition, Yahoo! disclosed that all 3 billion user accounts had been compromised, expanding the liability.
Such legal agreements to share the costs related to pending liabilities are referred to as “holdbacks.” In a holdback, a portion of the acquisition price is held in escrow and paid out upon satisfaction of the liabilities. In the case of accounting for unknown data breach liabilities, such as Marriott experienced, the holdback money could be held in escrow until a sufficient amount of time had passed to discover unknown compromises.
Your acquisition target will fight against any holdback, but your work to assess the quality of the company’s IT operations and your cyber risk assessment will help your cause. At a minimum, it will serve as a lever to allow deeper inspection.
Ultimately, it is on you to understand the cyber risk assets and liabilities of the company you are acquiring. The better information you have, the more accurate your assessment will be. Verizon got lucky—Yahoo’s data breach was disclosed during negotiations, and Verizon was able to rightly discount the acquisition price and require sharing of related legal and regulatory expenses. But Marriott wasn’t so lucky: their lack of investigation led to a tremendous financial loss that’s still ongoing and not yet fully quantifiable. Don’t leave it to luck. Objectively evaluate your acquisition and make sure you have a complete understanding of its digital infrastructure. When it comes to M&As, knowledge is king.