Log in
Forgot password ?
Become a member for free
Sign up
Sign up
Dynamic quotes 

MarketScreener Homepage  >  Equities  >  Nasdaq  >  Marriott International    MAR

My previous session
Most popular
News SummaryMost relevantAll newsOfficial PublicationsSector newsAnalyst Recommendations
The feature you requested does not exist. However, we suggest the following feature:

Marriott International : Breach Highlights Importance of Cybersecurity Due Diligence in M&A Deals

share with twitter share with LinkedIn share with facebook
share via e-mail
01/23/2019 | 09:38am EST

In 2016, Marriott International announced its acquisition of Starwood Hotels & Resorts Worldwide. Coined by Marriott as a "smooth transaction," the announcement of the acquisition received an overwhelmingly positive response. Two short years later, on November 30, 2018, Marriott made an announcement to consumers that received a very different response: hackers had breached Starwoods reservation system beginning in 2014 and continuing through September 2018. As a result, Marriott announced that it had acquired Starwood while Starwood was under cyberattack, failed to identify such a cyberattack during its due diligence investigation, and allowed cyberattackers to continue to compromise the personal data of up to 500 million of its customers, undetected. This announcement caused Marriott embarrassment and left Marriott, not Starwood, to bear the full financial and reputational hit from the breach.

Marriotts current dilemma is not an isolated incident, as both acquiring companies and acquisition targets have seen previously undisclosed data breaches impact deals. Other companies have experienced similar situations with detrimental results, leading to concerns for other transactions large and small. Approximately 63 percent of U.S. CEOs say they are extremely concerned about cyber threats, and only 25 percent of consumers believe that companies handle their sensitive personal data responsibly.

In addition to data breaches of the type experience by Starwood, companies engaged in M&A due diligence should be alert to cyber risks that could compromise the security of a companys critical intellectual property or other proprietary information, and also to whether a target companys data privacy practices are in full compliance with the increasingly complex framework of national and international data privacy laws. Any failings in these areas can significantly decrease a companys true valuation, and expose the acquirer to significant legal risks and costs, including the costs of remediation, litigation and fines. To mitigate negative effects stemming from an undetected cybersecurity or data privacy issue, any potential acquirer must engage in a comprehensive cybersecurity and data privacy due diligence investigation of the target. Appropriate evaluation of cybersecurity networks, systems, and personnel policies and procedures on critical areas such as data protection and cybersecurity awareness, could have a major impact on the value of the target company and the deal as a whole.

Many acquirers still underappreciate the need for cybersecurity due diligence as a distinct risk category. Purchasers frequently combine cybersecurity due diligence with information technology due diligence, when in fact this type of due diligence does not necessarily examine the appropriate risks. Information technology due diligence often focuses narrowly on hardware and technology documentation rather than taking a deep dive into systems, servers, networks, data processing and the ways that targets conduct those processes. Information technology diligence often fails to assess whether a company has a data governance process in place; whether it has a thorough understanding of the data privacy and information protection requirements which apply to its business model and scope of operations and whether it has policies and procedures to prevent, detect and respond to human error or malfeasance.

Its axiomatic in cybersecurity that the very best technology cannot compensate for human failings, and that both technical and organizational measures are necessary in order to have an effective cybersecurity and data privacy program. Traditional approaches to information technology diligence frequently fail to assess the risks created by targets taking or failing to take certain actions. As a result, limited due diligence into information technology will be insufficient to identify dangerous cybersecurity risks. Cybersecurity is a risk category in its own right, one that companies are statistically less likely to report, if they are even aware of potential or actual cybersecurity breaches at all.

The combination of a thorough due diligence process, an experienced team, and a cybersecurity due diligence component should, now more than ever, be an essential part of every M&A transaction. The American Bar Associations publication "The Importance of Cybersecurity Due Diligence in M&A Transactions" identified several key areas of cybersecurity due diligence review:

A review and risk assessment evaluation of the targets current cybersecurity policies;

A study of network security assessments conducted by a third-party forensic firm;

Identification of prior breaches and incident-response capabilities of the target, such as what data was compromised, how the target responded, and comparisons of the currently active network files with a backup that the attacker did not alter; and

Identifying internal and external threats to past and future cybersecurity safety.

In order to be able to assess these risks, purchasers should update their due diligence procedures as follows:

Diligence document requests lists should request disclosure of all the targets cybersecurity policies and procedures, risk assessments and network security assessments, both internal and by external consultants or agents;

Diligence document requests lists should ask targets to identify any prior breaches of their systems and describe incident responses, including seeing incident response reports;

Diligence document requests should request disclosure of all the targets policies and procedures relating to data privacy compliance, to include the organizational mechanisms for compliance with any national or international regulatory frameworks, including cross-sector regulations such as the European Unions General Data Protection Regulation (GDPR) and sector-specific requirements for data privacy and compliance (such as in the healthcare and financial services industry), as well as the existence of best practices such as data inventory and data governance programs and board-level oversight of privacy and cybersecurity programs;

Purchaser diligence teams should include cybersecurity experts who should request access to the personnel at the target who are responsible for ensuring cybersecurity as well as responding to breaches;

Purchasers should consider and consult with their attorneys about the need to hire forensic experts to assess network security and/or compare network files with backup files; and

The diligence team members with the appropriate data privacy and cybersecurity expertise should interview the targets cybersecurity team about internal and external threats and the level of cybersecurity risks created by the targets business model.

If due diligence is conducted with a focus on cybersecurity and data privacy risks, purchasers will be well situated to request and negotiate the inclusion of certain representations and warranties in the operative deal documents. Such representations and warranties would include:

Representations about known incidents (and the targets responses);

Representations that the target is compliant with applicable privacy and data security laws and regulations (which may or may not be focused on the targets particular industry); and

Representations about the absence of consumer complaints, litigation or investigations regarding privacy and data security.

Representations and warranties are never a substitute for comprehensive due diligence, but they can help to mitigate the purchasers post-closing cybersecurity risk to some degree, particularly for past or ongoing cyberattacks.

(c) Sabanews.net 1999 - 2019 Provided by SyndiGate Media Inc. (Syndigate.info)., source Middle East & North African Newspapers

share with twitter share with LinkedIn share with facebook
share via e-mail
09:38aMARRIOTT INTERNATIONAL : Breach Highlights Importance of Cybersecurity Due Dilig..
09:04aMARRIOTT INTERNATIONAL : Group of businessmen express wish to make new investmen..
08:49aMARRIOTT INTERNATIONAL : AC Hotel Atlanta Midtown and Moxy Atlanta Midtown Open ..
01/22MARRIOTT INTERNATIONAL : Sets New Record for Growth in 2018 Fueling Global Expan..
01/21MARRIOTT INTERNATIONAL : Has Trained 500,000 Hotel Workers to Recognize the Sign..
01/21MARRIOTT INTERNATIONAL : Expands Its Sheraton Brand into the Philippines Market ..
01/18MARRIOTT INTERNATIONAL : Marriot International launches Bonvoy loyalty programme
01/18MARRIOTT INTERNATIONAL : Has Trained 500,000 Hotel Workers to Recognize the Sign..
More news
Financials ($)
Sales 2018 21 120 M
EBIT 2018 2 380 M
Net income 2018 1 995 M
Debt 2018 8 879 M
Yield 2018 1,46%
P/E ratio 2018 19,27
P/E ratio 2019 17,06
EV / Sales 2018 2,15x
EV / Sales 2019 2,10x
Capitalization 36 590 M
Duration : Period :
Marriott International Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends MARRIOTT INTERNATIONAL
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus OUTPERFORM
Number of Analysts 25
Average target price 134 $
Spread / Average Target 25%
EPS Revisions
Arne M. Sorenson President, Chief Executive Officer & Director
John Willard Marriott Executive Chairman
Raymond Bennett Chief Global Officer- Global Operations
Kathleen Kelly Oberg Chief Financial Officer & Executive Vice President
Bruce Hoffmeister Global Chief Information Officer
Sector and Competitors
1st jan.Capitalization (M$)
ACCOR4.96%12 851