Cyber issues during M&A transactions

Hall & Wilcox Partners Eden Winokur and Jacqui Barrett discuss the key lessons regarding cyber due diligence in M&A transactions that can be learned from the Marriott case after it acquired the Starwood company, which had been subject to a cyberattack. Marriott suffered significant consequences, including global legal claims and government fines.

Subscribe to our YouTube Channel to see more updates.

Eden Winokur and Jacqui Barrett


[Eden Winokur:]

In 2016 Marriott acquired Starwood for around $16 billion US dollars. What Marriott didn’t know, is that in 2014 and 2015, Starwood was unfortunately subject to a cyber attack, which involved clients' personal information, credit card details and passports, being accessed by a cyber criminal. After the acquisition in 2016, a decision was taken by Marriott not to integrate the two networks.

[Jacqui Barrett:]

They only became aware of the cyber issue in 2018. And so there had been a further two years of cyber criminals potentially taking the personal information of literally millions and millions of customers who booked through the reservation system for Starwood properties. For the Marriott the consequences were severe. There were legal claims from all over the world and many class actions that occurred, particularly in the USA. They had to publicly report the data breach, they had to deal with the fines coming in from different government bodies.

[Eden Winokur:]

If a similar incident to Marriott occurred in Australia, the acquiring company would suffer significant loss and reputational damage.

[Jacqui Barrett:]

From an M&A perspective, the key things that we learned from Marriott was, of course, what are we doing about our due diligence? What are we doing to protect the purchaser, when they look to acquire a business? What investigations is that purchaser undertaking? So from a legal side, of course, your lawyers can be looking at all of the contracts and all of the insurance policies and assessing the risk from that perspective. But, in tandem, what we’ve learned, of course, is to involve technical experts.

[Eden Winokur:]

Companies should undertake a cyber audit of systems from companies that are being acquired. All companies should ensure that they have adequate risk management systems in place.

At Hall & Wilcox, we have one of the leading cyber practices, and have collectively worked on hundreds of data breaches and cyber security incidents, including some of the largest that we’ve seen in Australia.


Eden Winokur

Eden Winokur

Partner & Head of Cyber

Eden is a leading cyber, privacy, disputes and insurance lawyer who heads the Hall & Wilcox cyber practice.

Jacqui Barrett

Jacqui Barrett

Partner & Head of US Desk

Jacqui assists clients with mergers and acquisitions, corporate structuring, capital raisings and managed investment schemes.

You might be also interested in...

Cyber | 6 Jul 2022

Key cyber and privacy issues facing Australian businesses

Partners Eden Winokur and Alison Baker discuss the key issues in cyber and privacy.

Cyber | 10 May 2022

AFSL holders on notice for cyber security failings

Following ASIC v RI Advice, AFSL holders should be aware that cyber security protocols are now a core obligation in the provision of financial services.