What CEOs Can Learn From Marriott/Starwood Breaches

Cyber defense is no longer a compliance initiative — it’s now a CEO and board-level topic. When we see leading brands like Marriott with healthy security budgets get owned by the threat actors we should all take note that what we put in place yesterday — or even today — isn’t good enough, unless it has a dynamic and future-proof roadmap.

CEOs should initiate a comprehensive security review that encompasses technologies, procedures, and general system health. All too often cybersecurity is approached from a defensive posture where parameters are built around existing systems. Even when best-of-breed technologies are used, cybersecurity is a complex set of layers that should work collaboratively but may require stand-alone review. Policies should be regularly audited, systems must conform to those policies, and defensive measures must be in place to ensure anomalous events are recognized and acted upon.

What information and systems are most likely to be at risk during M&A?

Threat actors are trolling for deal information that allows them to front run a deal and profit from it. Any system can be subject to breach and in many cases, access to one system leads to access to others. The types of breaches that most directly affect a company’s brand are those that pertain to data at the core of its business. For example, the Starwood/Marriott breach divulged customer credit card and even passport data, and as such it significantly impacted consumer trust in the Marriott brand. In other industries, there might be other forms of data that has great value. If you are a company that trades commodities, financial and resource price forecasts may prove to be specifically damaging if hacked. One common approach during the acquisition process is to treat presume all systems as insecure or breached until proven otherwise.

Further within the M&A value assessment the buyer should determine the health and capability of the security posture and value of the transaction accordingly. The buyer may have a significant investment post-acquisition to shore up the systems and defense.

How can risk be prevented during this process? What are best practices?

When assessing who you should work with for your security needs during M&A, it’s best to use people you already trust. Ideally the team that evaluates the security posture of the company to be acquired should be separate from those who will be charged with executing the IT integration of the merging systems. Using incentives like MBOs and bonuses can motivate everyone to look a little deeper for gaps.

Another best practice is to keep a detailed digital record of risk assessments and make sure to test the assessments. Building risk assessments solely on paper can lead to issues never being found, and this is where most organizations go wrong. Companies rely on spreadsheets of questions that identify where policies exist and suggest there may be gaps, but rarely do the findings get tested — they are just assumed to be correct. An example of this could be a question on whether or not data is encrypted. A typical answer would be “yes” but there’s more to uncover. The next step should look at how the keys that encrypt the data are managed. Should the test of the controls fail, the keys would not be considered secure and therefore the data, while encrypted, may be vulnerable anyway.

Finally, overlay your existing cybersecurity policies to the company being acquired and see how they align. If your company uses digital certificates for authentication and the company to be acquired only uses passwords, you can speculate that devices on their network might already be breached as passwords are easy to compromise.

Who should oversee this process? Who should be involved?

Typically these types of activities fall to the CSO or CISO, however each organization is different in structure. If and when a breach is announced, an organization can expect fines (SEC and GDPR) and lawsuits, resulting in hefty fines, revenue & EBITDA ramifications, angry shareholders and class action lawsuits — not to mention very significant remediation costs. As such whomever oversees the process should report to the CEO.

What role should CEOs play in cybersecurity (M&A and beyond) to protect their organization, customers and stakeholders?

During any M&A activity one of the greatest concerns for a CEO is “have I just invested in a data breach?” The most important role a CEO can play during the process is championing the cybersecurity topic and make sure that cybersecurity becomes and stays a top priority for every person involved in the process. Increasingly, clauses in contracts are dealing with the notion of adjusting a company’s sale price if a breach is uncovered that has not been disclosed. Cyber liability insurance should also be reviewed to ensure adequate coverage specific to M&A activity.

Lastly, recognize the level or tolerance for additional risk that you and the board are prepared to accept. Know what the data represents to your company and the value associated with it. Which is more valuable to you – customer lists or intellectual property? It’s only when you can make these value judgements can you effectively assess the impact of an undisclosed breach during the M & A process, guiding the organization, stakeholders and customers accordingly.

Read more: Marriott Models How To Handle A Hacking Attack