Why Every Mergers & Acquisitions Deal Should Include Data Privacy Due Diligence

The US-based hotel group Marriott International was recently fined almost £100m for falling foul of the EU’s GDPR legislation. The fine was levied on the hotel giant for a massive data breach, identified in 2018, that saw the personal data of over 339 million customers compromised by cybercriminals. It is interesting to note that Marriott International inherited the breach with its 2016 acquisition of Starwood Hotels and Resorts Worldwide.

This was not an isolated incident. As per a recent Forescout report, around 65% of companies had cybersecurity and data privacy concerns post an M&A deal. The data breach that came to light after Verizon announced its intention of acquiring Yahoo! is a prominent case in point; the latter has recently finalised an out-of-court settlement over $117 million, denting the profitability of the former.

These examples highlight the growing significance of proper due diligence during corporate mergers and acquisitions, underlining the business risk that corporate entities expose themselves to if they don’t focus on data privacy and information security during the M&A process.

Understanding data security challenges during M&As and possible solutions

Most incidents occur because organisations don’t have clear visibility into their own enterprise networks. This risk-prone situation complicates even further when an enterprise network merges with another ecosystem of networked devices and endpoints.

With the addition of new devices, on the network, there is a rise in the data volumes generated across the organisation’s IT stack. This then amplifies the scope of the security challenge that internal IT teams have to deal with. Manual monitoring and tracking of the behaviour and security profile of each device in real-time become almost impossible, raising the threat risk that enterprises are exposed to.

This underlines the need for an automated, agentless endpoint security solution that can help CIOs and CISOs to gain comprehensive real-time visibility over their networked nodes. These solutions constantly map vital information such as device permissions, security postures, and behaviour to identify threats, vulnerabilities, and risk patterns.

Such in-depth access to information helps IT teams to define and deploy relevant controls and access policies for connected devices. By enabling the seamless integration of newer devices and technologies into existing enterprise networks, such solutions can help in streamlining the M&A process while ensuring robust security.

Organisations can also look at leveraging virtual data rooms (VDRs) to protect their confidential enterprise data. VDRs enable information rights management, allowing data owners to share data with other participants on view-only screens. This ensures access to the relevant information for all stakeholders, while preventing its unauthorised replication and usage. Data owners also have the flexibility to immediately cancel access permissions for other transacting parties and to block their access to data rooms. This is useful in case of interruptions, or if the M&A deal falls through.

With an ever-growing number of connected devices and networked nodes, it has become essential for enterprises to deploy advanced measures to ensure robust data security. Cybersecurity for modern-day businesses is more a factor of constant vigilance and less about deploying reactive measures post-breach. Enterprises must ensure that, in their bid to achieve growth and scale through an M&A, they do not end up compromising security. Conducting extensive, security-oriented due diligence during the M&A process is a must to keep their enterprise networks safe from threat actors.

By Ramsunder Papineni, Regional Director-India and SAARC, ForeScout Technologies Inc.