Poor cyber due diligence can carry a costly bite
“It has become apparent that can’t remain the status quo,” she said. “We need to be looking at cyber-security issues as part of due diligence and, in fact, taking action almost before the deal is done and before announcement.
“The regulatory environment is now considering the purchaser of any company responsible for cyber security issues that were in the target company when it was acquired.
“It’s not enough to assume that liability can be left behind – you have to understand what you’re buying.”
The Marriott hotel group was last year hit with a £18.4 million ($33 million) fine by Britain’s privacy regulator, following revelations that 339 million guest records from Starwood hotels may have been compromised.
Marriott acquired Starwood in 2016 for $US13.6 billion but did not discover the cyber breach, which dated back to 2014 before the acquisition was settled, until almost two years later.
The initial fine suggested by the Information Commissioner’s Office in 2019 was $123 million, which Marriott said it would fight.
The ICO specifically highlighted a failure of due diligence on the part of Marriott in reaching the quantum for the final penalty.
Verizon’s $US4.83 billion purchase of Yahoo in 2017 had $US350 million knocked off the price after revelations of a data breach incurred by Yahoo.
In Australia, former ANZ wealth management business RI Advice Group, now owned by financial services company IOOF, is being sued by the corporate regulator for failing to ensure financial advisers under its control protected sensitive client data from a “brute force” cyber attack.
Speaking at the The Australian Financial Review Business Summit last week, Australian Securities and Investments Commission deputy chairwoman Karen Chester highlighted ASIC’s expectations.
“ASIC will ensure regulatory incentives for cyber resilience are in open play, as evidenced by [the] August 2020 case against RI Advice Group,” Ms Chester said.
“It should be front-of-mind. It was the first action taken by ASIC against a licensee in respect of cyber security and cyber resilience.
“It won’t be the last.”
Speaking at the Australian Cyber Security Conference 2021 in Canberra on Wednesday, Ms Haggar will say cyber security is the single biggest threat to a company’s finances, intellectual property and brand, with about 62 per cent of breaches affecting operations.
She said simple steps such as Dark Web threat scans, reviews of cyber security audits and threat hunts on a target company were simple steps that could potentially save the buyer tens of millions of dollars.