Cyber issues during M&A transactions

Videos13 Sept 2022

Hall & Wilcox Partners Eden Winokur and Jacqui Barrett discuss the key lessons in cyber due diligence that can be learned from the Marriott case.

Hall & Wilcox Partners Eden Winokur and Jacqui Barrett discuss the key lessons regarding cyber due diligence in M&A transactions that can be learned from the Marriott case after it acquired the Starwood company, which had been subject to a cyberattack. Marriott suffered significant consequences, including global legal claims and government fines.

Subscribe to our YouTube Channel to see more updates.

Transcript

Eden Winokur and Jacqui Barrett

[Transcript]

[Eden Winokur:]

In 2016 Marriott acquired Starwood for around $16 billion US dollars. What Marriott didn’t know, is that in 2014 and 2015, Starwood was unfortunately subject to a cyber attack, which involved clients’ personal information, credit card details and passports, being accessed by a cyber criminal. After the acquisition in 2016, a decision was taken by Marriott not to integrate the two networks.

[Jacqui Barrett:]

They only became aware of the cyber issue in 2018. And so there had been a further two years of cyber criminals potentially taking the personal information of literally millions and millions of customers who booked through the reservation system for Starwood properties. For the Marriott the consequences were severe. There were legal claims from all over the world and many class actions that occurred, particularly in the USA. They had to publicly report the data breach, they had to deal with the fines coming in from different government bodies.

[Eden Winokur:]

If a similar incident to Marriott occurred in Australia, the acquiring company would suffer significant loss and reputational damage.

[Jacqui Barrett:]

From an M&A perspective, the key things that we learned from Marriott was, of course, what are we doing about our due diligence? What are we doing to protect the purchaser, when they look to acquire a business? What investigations is that purchaser undertaking? So from a legal side, of course, your lawyers can be looking at all of the contracts and all of the insurance policies and assessing the risk from that perspective. But, in tandem, what we’ve learned, of course, is to involve technical experts.

[Eden Winokur:]

Companies should undertake a cyber audit of systems from companies that are being acquired. All companies should ensure that they have adequate risk management systems in place.

At Hall & Wilcox, we have one of the leading cyber practices, and have collectively worked on hundreds of data breaches and cyber security incidents, including some of the largest that we’ve seen in Australia.