Addressing Cybersecurity Risks in Mergers and Acquisitions - Ascent Conference

Addressing Cybersecurity Risks in Mergers and Acquisitions

In any merger or acquisition, it’s not only a company’s operations, processes, and branding that join together—the reality is that the business’ cybersecurity risks also come with the package. During the M&A transition period, the risk of cyber-attacks increases as all systems and technologies undergo the transfer process.

The 2018 Marriott-Starwood Acquisition: A Cautionary Tale

An example of this is the 2018 Marriott-Starwood acquisition. For those of you who are not familiar with the case, Marriott discovered two years after the billion-dollar merger that Starwood acquired multiple hotels, also inheriting the numerous security issues that came with these companies. Upon further investigation, Marriott learned that Starwood’s security framework had been compromised back in 2014 and went unnoticed. 

Consequently, a significant breach of Marriott’s database exposed sensitive information of guests such as their first-party data, credit card numbers, and passport details. The hospitality giant suffered from hefty financial losses and penalties due to the attack, not to mention the damage to its reputation and credibility.

Exercising Cyber Due Diligence

The incident became a stern reminder for other businesses to prioritize cybersecurity in potential investments, especially at this time of a pandemic when companies are gearing up to be in the M&A space so as not to face permanent closure. Unfortunately, discovering security breaches post-acquisition is becoming common in recent years. Adopting the strategies below is of utmost importance so as not to unknowingly fall victim to cyber-attacks:

  • Conduct a cybersecurity audit – This is standard practice in M&A to ensure that attackers have not yet infiltrated the acquired company’s database before the purchase and pinpoint potential vulnerabilities in its security architecture.
  • The acquirer’s CIO/CISO should lead the unification of security. Part of the CISO’s role in the merger is to review the security posture and procedures the acquired company currently has in place. They must also work closely with other executives to better understand each department’s framework and then formulate a plan to close security gaps if there are any.
  • Centralize your plan – This includes cooperating with the other company to align with existing goals, policies, tools, and protocols. The IT departments of both companies must also be at a united front, operate as a single unit, and be transparent with their respective strategies.

Mitigating M&A Security Risks

Security frameworks are highly intricate and must have a thorough assessment before closing potential M&A transactions. The acquirer should practice due diligence in evaluating the risks and liabilities of purchasing a company and eventually determining if these will be deciding factors on its valuation.

Privacy Notice

This privacy notice discloses the privacy practices for ( This privacy notice applies solely to information collected by this website. It will notify you of the following:

  • What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
  • What choices are available to you regarding the use of your data.
  • The security procedures in place to protect the misuse of your information.
  • How you can correct any inaccuracies in the information.

Information Collection, Use, and Sharing

We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.

We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.

Unless you ask us not to, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy.

Your Access to and Control Over Information

You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:

  • See what data we have about you, if any.
  • Change/correct any data we have about you.
  • Have us delete any data we have about you.
  • Express any concern you have about our use of your data.


We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.

Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Web page.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.

If you feel that we are not abiding by this privacy policy, you should contact us immediately via telephone at 202-256-9707 or [email protected].