Close this search box.
Close this search box.

What CEOs Can Learn From Marriott/Starwood Breaches

When we see leading brands like Marriott with healthy security budgets get owned by the threat actors we should all take note that what we put in place yesterday — or even today — isn’t good enough.

Cyber defense is no longer a compliance initiative — it’s now a CEO and board-level topic. When we see leading brands like Marriott with healthy security budgets get owned by the threat actors we should all take note that what we put in place yesterday — or even today — isn’t good enough, unless it has a dynamic and future-proof roadmap.

CEOs should initiate a comprehensive security review that encompasses technologies, procedures, and general system health. All too often cybersecurity is approached from a defensive posture where parameters are built around existing systems. Even when best-of-breed technologies are used, cybersecurity is a complex set of layers that should work collaboratively but may require stand-alone review. Policies should be regularly audited, systems must conform to those policies, and defensive measures must be in place to ensure anomalous events are recognized and acted upon.

What information and systems are most likely to be at risk during M&A?

Threat actors are trolling for deal information that allows them to front run a deal and profit from it. Any system can be subject to breach and in many cases, access to one system leads to access to others. The types of breaches that most directly affect a company’s brand are those that pertain to data at the core of its business. For example, the Starwood/Marriott breach divulged customer credit card and even passport data, and as such it significantly impacted consumer trust in the Marriott brand. In other industries, there might be other forms of data that has great value. If you are a company that trades commodities, financial and resource price forecasts may prove to be specifically damaging if hacked. One common approach during the acquisition process is to treat presume all systems as insecure or breached until proven otherwise.

Further within the M&A value assessment the buyer should determine the health and capability of the security posture and value of the transaction accordingly. The buyer may have a significant investment post-acquisition to shore up the systems and defense.

How can risk be prevented during this process? What are best practices?

When assessing who you should work with for your security needs during M&A, it’s best to use people you already trust. Ideally the team that evaluates the security posture of the company to be acquired should be separate from those who will be charged with executing the IT integration of the merging systems. Using incentives like MBOs and bonuses can motivate everyone to look a little deeper for gaps.

Another best practice is to keep a detailed digital record of risk assessments and make sure to test the assessments. Building risk assessments solely on paper can lead to issues never being found, and this is where most organizations go wrong. Companies rely on spreadsheets of questions that identify where policies exist and suggest there may be gaps, but rarely do the findings get tested — they are just assumed to be correct. An example of this could be a question on whether or not data is encrypted. A typical answer would be “yes” but there’s more to uncover. The next step should look at how the keys that encrypt the data are managed. Should the test of the controls fail, the keys would not be considered secure and therefore the data, while encrypted, may be vulnerable anyway.

Finally, overlay your existing cybersecurity policies to the company being acquired and see how they align. If your company uses digital certificates for authentication and the company to be acquired only uses passwords, you can speculate that devices on their network might already be breached as passwords are easy to compromise.

Who should oversee this process? Who should be involved?

Typically these types of activities fall to the CSO or CISO, however each organization is different in structure. If and when a breach is announced, an organization can expect fines (SEC and GDPR) and lawsuits, resulting in hefty fines, revenue & EBITDA ramifications, angry shareholders and class action lawsuits — not to mention very significant remediation costs. As such whomever oversees the process should report to the CEO.

What role should CEOs play in cybersecurity (M&A and beyond) to protect their organization, customers and stakeholders?

During any M&A activity one of the greatest concerns for a CEO is “have I just invested in a data breach?” The most important role a CEO can play during the process is championing the cybersecurity topic and make sure that cybersecurity becomes and stays a top priority for every person involved in the process. Increasingly, clauses in contracts are dealing with the notion of adjusting a company’s sale price if a breach is uncovered that has not been disclosed. Cyber liability insurance should also be reviewed to ensure adequate coverage specific to M&A activity.

Lastly, recognize the level or tolerance for additional risk that you and the board are prepared to accept. Know what the data represents to your company and the value associated with it. Which is more valuable to you – customer lists or intellectual property? It’s only when you can make these value judgements can you effectively assess the impact of an undisclosed breach during the M & A process, guiding the organization, stakeholders and customers accordingly.

Read more: Marriott Models How To Handle A Hacking Attack


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.