The mergers and acquisitions process is scary enough, but absorbing another company’s digital assets without full visibility into their entire digital infrastructure is downright harrowing. This is perhaps best evidenced by Marriott’s experience during their Starwood acquisition: after the acquisition had been finalized, Marriott discovered a major data breach. Marriott’s direct losses due to the breach range between $200 million and $600 million. On the high end, that is nearly 5% of the total Starwood acquisition price—a high price to pay for negligence.

Thankfully, there’s a process for mitigating your cyber risk during the M&A process so you can avoid a mistake like Marriott’s. In a recent article published in SC Magazine, the process is outlined in five important steps:


  1. Seek to gain an objective understanding of the company’s IT environment and security risk.
  2. Use cyber risk rating information to objectively understand the acquisition’s IT environment.
  3. Investigate how well your acquisition is inventorying and managing their digital systems.
  4. Objectively assess the information security posture.
  5. Carve out holdbacks for pre-existing cybersecurity breaches.

Remember, it’s your responsibility to do your cyber risk due diligence. Read the full article to learn how to gracefully negotiate cyber risk and protect your company during the M&A process.

Read the full article