The announcement by a global hotel chain of the discovery that an acquired business’s reservation system had been compromised raises issues around the need for cyber security due diligence.
The merger of an American subsidiary with the global chain took place in September 2016 when the unauthorised data stealing program was already working undercover in the system. When the hack was announced on Friday 30 November 2018 it was estimated that it had been operating covertly for more than four years, harvesting travel details, passport numbers and credit card data of some 500 million customers.
This demonstrates that due diligence processes cannot be applied only to financials: it is essential that network systems and security are also scrutinised. If the global chain had been aware of the acquired company’s data security issues the organisation could have saved itself the raft of expenses it now faces: legal issues, regulatory problems, breach investigation and notifications, remediation actions and public relations.
“The possibility of an undiscovered bug already being in a computer system is a real threat in an acquisition context,” says Gallagher Account Manager – Professional and Financial Risks Brett Parnell.
“A recent global study by the Ponemon Institute published that the average time to identify a data breach is 197 days. Therefore cyber security due diligence is essential when considering an acquisition so the buyer has full visibility of the risk profile they are buying.”
M&A cyber security due diligence
Assessment of cyber security is a fundamental aspect of overall risk management strategy and should form an integral part of due diligence in an M&A transactions, law firm Allens advises.
Sellers should be aware of their critical systems and data sets, and how they are used and protected. They should be able to demonstrate that they have implemented a cyber security risk management program.
Buyers should review how a potential acquisition uses data, its approach to security and its history of breaches and their management. Formal industry audits such as a PCI compliance audit or ISO 27001 assessment can help evaluate gaps or issues.
Both parties should also evaluate how cyber risks might be mitigated by insurance cover.
“The issue of already compromised systems reinforces the importance of ensuring any cyber insurance policy purchased has an unlimited (or silent) retroactive date, as a retro date may limit coverage arising out of events that occurred after a certain date, and therefore gives the insurer the ability to decline the claim on the basis that the bug was already in the system, if this is found to pre-date the inception date of the policy,” Parnell says.
Gallagher has noticed that our clients have invested in increased security spending and improvements in cyber risk processes and frameworks. There is now customer demand for services such as