Cyber issues during M&A transactions
Hall & Wilcox Partners Eden Winokur and Jacqui Barrett discuss the key lessons regarding cyber due diligence in M&A transactions that can be learned from the Marriott case after it acquired the Starwood company, which had been subject to a cyberattack. Marriott suffered significant consequences, including global legal claims and government fines.
Subscribe to our YouTube Channel to see more updates.
In 2016 Marriott acquired Starwood for around $16 billion US dollars. What Marriott didn’t know, is that in 2014 and 2015, Starwood was unfortunately subject to a cyber attack, which involved clients' personal information, credit card details and passports, being accessed by a cyber criminal. After the acquisition in 2016, a decision was taken by Marriott not to integrate the two networks.
They only became aware of the cyber issue in 2018. And so there had been a further two years of cyber criminals potentially taking the personal information of literally millions and millions of customers who booked through the reservation system for Starwood properties. For the Marriott the consequences were severe. There were legal claims from all over the world and many class actions that occurred, particularly in the USA. They had to publicly report the data breach, they had to deal with the fines coming in from different government bodies.
If a similar incident to Marriott occurred in Australia, the acquiring company would suffer significant loss and reputational damage.
From an M&A perspective, the key things that we learned from Marriott was, of course, what are we doing about our due diligence? What are we doing to protect the purchaser, when they look to acquire a business? What investigations is that purchaser undertaking? So from a legal side, of course, your lawyers can be looking at all of the contracts and all of the insurance policies and assessing the risk from that perspective. But, in tandem, what we’ve learned, of course, is to involve technical experts.
Companies should undertake a cyber audit of systems from companies that are being acquired. All companies should ensure that they have adequate risk management systems in place.
At Hall & Wilcox, we have one of the leading cyber practices, and have collectively worked on hundreds of data breaches and cyber security incidents, including some of the largest that we’ve seen in Australia.
You might be also interested in...
Cyber | 6 Jul 2022
Partners Eden Winokur and Alison Baker discuss the key issues in cyber and privacy.
Cyber | 10 May 2022
Following ASIC v RI Advice, AFSL holders should be aware that cyber security protocols are now a core obligation in the provision of financial services.