The business case for data security due diligence during mergers and acquisitions
By Brian Vecci, Field CTO, Varonis
The Marriott breach put data risk around M&A activity on the map. Executives and boards must understand the depth and breadth of the risk they assume when they acquire another company’s data. In Marriott’s case, when they added Starwood’s systems and data to their network, it became a costly oversight.
When it comes to mergers and acquisitions, companies typically overlook their data. When you acquire a company, you also acquire all of their security and data risk. M&A activity often means taking on thousands or even millions of files. These files typically haven’t been checked for digital risk: sensitive PII on employees and customers, financial information, intellectual property and more. Consider that at the average company, about one out of every five files is open to everyone in the organization. Sensitive data open to everyone is what leads to significant breaches and other incidents. When exposure is high, the door is left wide open to a data breach.
Not knowing where sensitive information resides (both on-premises and in the cloud) or who has access to it can land companies in trouble with regulators. Ignorance isn’t a defense and won’t hold water when modern privacy regulations like the GDPR and CCPA apply. Finger-pointing won’t help companies escape multimillion-dollar fines: Marriott could not claim that it was Starwood’s fault that the breach happened.
Organizations are going to have to onboard the systems and data of acquisition targets, and it’s critical that they are able to fully evaluate and quantify the risk. It’s difficult, to be sure, but not impossible. If you make sure that systems and data are locked down and monitored before bringing them into your network as part of a merger, you’re going to be much better off. Simply assessing risk —knowing what data is out there and where it’s exposed—is a great first step.
Consider the case of this healthcare company: after a merger, they prepared to move their data to the cloud. What they didn’t expect to find was six million folders open to everyone in the company, and nearly 30,000 files containing sensitive data, including PII protected under HIPAA. Not to mention thousands of stale, but still active, user accounts.
The good news is that data privacy regulations like CCPA and GDPR have real teeth and are forcing companies to put better (or at least some) controls around PII. Companies are taking what happened to Marriott seriously. Data-focused risk assessments are becoming far more common as part of the due diligence process for M&A activity.
Marriott got hit twice in the headlines: once, when the breach was disclosed, and again, when they were fined under the GDPR for the privacy violation. While I hope other organizations will learn the lesson Marriott did, we will almost certainly witness a similar attack in the coming year. There’s too much data open to too many people—it’s just a matter of time.