The Importance of Cybersecurity in Mergers and Acquisitions

By: Nathaniel Reiff

In 2016, Marriott International, Inc. acquired Starwood Hotels & Resorts Worldwide for $13.6 billion “creating the world’s largest and best hotel company.” Little did Marriot know that Starwood’s guest reservation database provided unauthorized access of more than 500 million guest’s information. The leak revealed customer names, mailing addresses, phone numbers, email addresses, passport numbers, and potentially credit card numbers and card expiration dates.

“Marriott International Inc.’s revelation of a hack . . . highlights the hidden cybersecurity risks involved with mergers and acquisitions. . . . Even companies that thoroughly vet their targets can’t entirely avoid the possibility that they’re inheriting risks.” claims Bloomberg Law’s Privacy and Data Security reporter, Sara Merken. Such naivety engenders lawsuits against the acquirer, imposes damage to its reputation, and costs the company millions to remediate the hack.

“Cybersecurity is probably the business risk that has gained the most importance and salience in recent years. Every company has to reckon with risks that hackers and scammers pose to their business, and many companies are devoting staggering resources to doing so. . .  . [S]o we should expect undisclosed cyber liabilities to cast a shadow over the market for corporate control.” says Andrew Verstein, Associate Professor at the Wake Forest University School of Law.

An acquisition’s risk potential can fundamentally change the course of a deal. Such ramifications include the altering of a purchase price or destroying the transaction entirely. In 2017, Yahoo announced that it would reduce $350 million from Verizon’s purchase price of the web services provider after the discovery of breaches from 2013 and 2014.

Buyers must assess the target company’s data assets and conduct penetration testing and vulnerability assessments. With the potential for revealing breaches months and years following a merger or acquisition, companies are being advised by their counsel to put explicit cybersecurity provisions in their merger documents.

Nathaniel Reiff is a second-year law student at Wake Forest University School of Law. He holds a Bachelor of Arts in Business Administration and a Master of International Business from the University of Florida. Upon graduation, he intends to practice corporate and tax law.