When Marriott International, one of the world’s largest hotel chains, discovered a data breach in 2018, following the acquisition of another hotel chain, it was a massive blow for the company. As a result of the hack, the credit card numbers, addresses, passport information and other sensitive details for up to 500 million guests had been compromised.
The breach exemplified a challenge from which businesses across industries can learn: Whether you are buying or selling, it’s paramount to consider cybersecurity during mergers and acquisitions.
An investigation of the Marriott incident revealed that one of the largest breaches ever of consumer data had not occurred overnight. It was traced back as far as 2014, two years before Marriott acquired the Starwood network, a family of hotels and resorts whose guest reservation database had been the victim of unauthorized access.
The large volume of personal details stolen through the Marriott breach made headlines, yet consumer-facing enterprises aren’t the only ones targeted by cyber criminals. Vulnerabilities in manufacturing businesses are particularly acute, despite attracting less mainstream attention. If unaddressed, legacy cybersecurity issues can cost their future owners dearly.
“When I think of manufacturing companies and cybersecurity, I worry that someone could hack into their system and discover their trade secrets or their formulas, or shut down their plant operations,” says Karen Hermann, a partner focusing on M&A and corporate transactions at law firm Venable LLP. “There are all kinds of things bad actors can do.”
Experts say it is also common for midsize manufacturers to have outdated computer or control systems.
“They have systems that are valuable for monitoring the efficiency of production, but many were implemented years ago, before modern security techniques were in place, and they’re not protected like a laptop would be,” says Matt Dauphinais, senior manager of mergers and acquisitions for West Monroe Partners, a national consulting firm.
“They’re also not what we call ‘segmented’ within a network,” he adds. “If you access the device itself, you have subsequent access to all the other devices that it is connected to. In older setups, it can be a main weak point.”
“WHEN I THINK OF MANUFACTURING COMPANIES AND CYBERSECURITY, I WORRY THAT SOMEONE COULD HACK INTO THEIR SYSTEM AND DISCOVER THEIR TRADE SECRETS OR THEIR FORMULAS, OR SHUT DOWN THEIR PLANT OPERATIONS.”
Partner, Venable LLP
Tom Wojcinski, director at Wipfli LLP, an accounting and business consulting firm, frequently encounters clients who know what they want to protect within their company, yet they do not have formal risk-management programs in place.
“In the midmarket, at the ownership level, there’s an informal or ad hoc understanding of ‘Hey, this is what I’m concerned about,’” he says. “But it’s more of a gut-level understanding of ‘Hey, this is what I’m trying to protect. Did I do a good job?’”
Too often, cybersecurity doesn’t become top of mind until it’s too late.
“If they haven’t had a problem, it’s not a priority,” he says. “And it doesn’t become a problem until they’ve been burned in a ransomware attack or other hack.”
Unlike financial companies, manufacturers’ efforts to protect data are not highly regulated.
“There are no regulatory drivers that say you need to do this to protect your customers’ assets or your customers’ information,” Wojcinski says.
DEALING WITH CYBER RISK
As Marriott learned after buying Starwood, an acquisition can introduce cybersecurity risks and liabilities for a buyer. The outdated security systems and lack of formal risk-management programs at many midsize manufacturers mean acquirers should tread carefully.
Among the concerns that need to be considered during an M&A transaction is the possibility of a post-sale data breach, Hermann says.
“I guess the worst thing that could happen is after closing, a buyer discovers a data breach you didn’t tell them about and then, all of a sudden, you’re on the hook to give them back a big chunk of the purchase price for an indemnification,” she says.
Despite the threats posed to businesses, Dauphinais says cybersecurity does not receive as much focus as it should during M&A.
“I think there’s a lack of understanding of what the risks really are,” he says. “You could have a ransomware event and that could be just as impactful, if not more damaging, than a couple quarters of missed financial projections.”
While inadequate cybersecurity protocols alone will rarely sink a deal to acquire a company, they will potentially impact the purchase price or terms.
“If you feel a company has been lax in any area of preparation—their financial statements aren’t as robust as they could be, or they don’t have cyber insurance or they don’t have good benefits plans—all those things weigh into the price of the deal,” Hermann says.
A company that is the target of a purchase should be able to demonstrate good governance overall.
“Make sure you have good policies in place,” Hermann says. “Make sure your employees are being trained and you have a good data protection policy on the website. Make sure you know what data you collect, how you store it and who has access to it. Change your passwords every 90 days.”
One way for a company to identify its cybersecurity weaknesses is to hire an outside firm to do an assessment.
“If you really want to put your best foot forward, hire a third-party investigation to do a phishing test or a penetration test,” Hermann says.
Even if a gap is revealed, “at least you’d look like you’re aware of it,” she adds.
Paul Cotter, senior security architect for West Monroe Partners, says companies that discover security weaknesses should develop plans for addressing them.
“What we generally advise is that if you’re looking to sell a company, you want to make sure that if you are aware of a gap, you demonstrate that you know about it and that you have a plan to address it, either short-term or long-term,” Cotter says. “Or be ready to establish that the gap is not as critical as perhaps some other issues.”
For a company that’s looking to sell and has been compromised, Wojcinski wants to see documentation of what they’ve done to correct the issue.
“If you got cracked wide open, and you had a compromise, I’d want to see a follow-up to show me that it’s been fixed,” he says.
CLOSING THE GAPS
When working with a buyer, Wojcinski says his job is to predict any post-close, unexpected costs. One area that can be costly is ensuring software and servers are up to date with the latest patches.
He cites Windows 7, which is no longer supported by Microsoft, as an example.
“You could have highly important manufacturing systems that are dependent on vulnerable software that can’t be patched,” he says. “A buyer should know that they are buying vulnerable infrastructure that can’t be updated. And they need to think through, ‘Am I prepared to have this machine go offline in an attack and not be able to recover it?’”
Wojcinski and other experts say companies should consider purchasing cybersecurity policies and know their limits and exclusions. He notes these policies can be tailored to the particular risks a company faces.
Another area to look at is employee training.
“The best hackers don’t hack computers. They hack people,” Wojcinski says. “It is way easier for me to trick you into giving me your password so I can come back into your system using your credentials rather than figure out how to circumvent the technical safeguards that are already there.”
He adds that training employees to recognize security threats isn’t enough; companies must promote a culture that encourages them to ask questions.
A common security threat is a hacker who sends an email pretending to be a trusted person within a company.
“I want to know if there is a culture in the company where it’s OK for an employee to question one of those messages and ask, ‘Is the director of finance really asking me to do this?’” Wojcinski says.
“HOLES THAT DIDN’T EXIST BEFORE”
Another area where a prospective buyer should focus is on the products a company sells, particularly as artificial intelligence, internet-enabled devices and other technologies become more prevalent.
“I worry about whether a company I’m buying has caused a third party to have a problem,” Hermann says. “If I’m buying a company that is selling iPhone speakers but is not designing them appropriately to not be hacked, then that could result in a class-action lawsuit.”
During the due diligence phase of a potential acquisition or merger, Hermann says bankers and lawyers hired as advisers should be asking a lot of questions about cybersecurity, as well as other areas.
She wants to understand any potential liabilities a company’s products may have.
“I’m going to be asking a lot of questions about what is referred to as ‘security by design,’” she says. “How is the company designing their products? Are the products they are putting out there safe or are they vulnerable to an attack?”
Events that are well beyond a company’s control— the COVID-19 pandemic, for instance— also can affect cybersecurity.
Cotter says employers rushed during the pandemic to enable employees to work at home, which has created security gaps.
“THE BEST HACKERS DON’T HACK COMPUTERS. THEY HACK PEOPLE.”
Director, Wipfli LLP
“They didn’t do as much research or take the time to necessarily acquire all the right security tools and hardware and everything else,” he says. “A lot of companies created new holes that didn’t exist before.”
As companies seek to improve their cybersecurity protections, Hermann says they also need to think about how they would justify their protections if they ever end up in court.
She recommends that manufacturers make their companies as secure as they can and adhere to industry standards. In the event a case goes to court, the business will be in a strong position to say to the judge or class-action litigators, “I got hacked. But I did all these things that were up to industry standards, the bad guys were just smarter than the industry,” Hermann says.
Planning ahead can help shield a company from future litigation as well as improve its prospects for acquisition. Knowing its cybersecurity weaknesses and addressing them can be key for a seller to get the best deal possible during the M&A process.
Awareness and follow-up are key.
“If somebody comes into a deal and is self-aware, and has a plan for addressing security gaps, that puts them in a much stronger position than if they’re just unaware and are completely oblivious to what the issues are,” Cotter says.
Annemarie Mannion is a former reporter for the Chicago Tribune and freelance writer who covers business.