Many of our clients have clear growth plans for their business, which may be through organic growth, but could also include mergers and acquisitions. Many forget to complete due diligence. This week, the ICO served notice of its intention to fine Marriott International £99 million for breaches of data protection law.
The most interesting aspect of this case is not the size of the fine, albeit vast, but the underlying issue that has incurred the fine itself.
Marriott inherited the cyber breach which occurred in 2014 through the acquisition of Starwoods hotel group in 2016 and this breach went unnoticed until 2018.
But why is this important?
The data breach should have been noticed before the takeover had occurred as part of the company’s due diligence process. This omission should serve as a warning to any business with acquisitions as part of their expansion strategy.
We have been involved with many client mergers and acquisitions over the years and have observed that due diligence can vary wildly, depending on the businesses involved. Where we have been involved with reviewing the IT systems and processes from the start, they have been easier to manage and complete, and security problems can be highlighted and addressed at an early stage in the process.
What to think about?
An important consideration when reviewing an acquisition target is to have a critical evaluation of the IT infrastructure. Does the business have the appropriate security in place? Does the business use out-dated operating systems and software? Does the business have data management policies and processes that are robust and is there evidence that these are adhered to? If the technology review identifies issues in the IT systems, this could also indicate that other areas of the business may similarly have non-compliance issues.
If an IT systems review isn’t part of your due diligence process, it would be sensible to add this. The cost of a review of technology systems as part of your due diligence and documentation process is a fraction of the fines that you could potentially incur if a business that you acquire has been lax in its data security and processes.
Once the purchase has been completed, have a plan to integrate the business as soon as possible. Software and system adoption will not only improve efficiencies but also help increase security. New staff should be trained on how to use your systems and the IT and security policies that you have in place. Get rid of old archived systems and solutions and if this isn’t possible from day 1, make sure you can ringfence them and reduce reliance on them. Keeping old software available is costly and potentially insecure.
If you are considering a business purchase or merger, make sure a review of the IT system is part of your due diligence process. This will not only facilitate the integration of the acquired company, but it could save you time and money – and possible fines and reputational damage in the future.
For more information on Orca’s services to support expanding businesses, contact us