Board and Shareholder Lessons from the Massive Marriott Hack
Marriott, or rather the company it acquired for $13bn while the hack was ongoing – Starwood – was hacked. So, what’s the big deal? There are three serious problem areas that emanate from this hack, along with sizable implications for Boards and leadership of organizations (government and private sector alike) and respective takeaway lessons.
Problem ONE: Marriott acquired Starwood as the breach was ongoing (acquisition was completed in Sep of 2016 and breach of the database started in 2014, according to the article). Had it known this at the time, Marriott would have (very) unlikely paid the $13bn it did for Starwood. That said, it is doubtful Starwood was truly unaware of the breach while it was ongoing for 4 years. In fact, it is highly possible that, like Yahoo during its acquisition by Verizon, Starwood may have kept quiet about the hack to maximize its acquisition price, making hacking of 0.5bn customers' data records go without reprieve. That would certainly make heads roll above and beyond the hack itself – let’s keep an eye out for that potential, if not likely, domino effect.
Implication: Given status quo, Marriott shareholders have been double-dinged, first for the overvalued price of the acquisition of breach-compromised Starwood and, second, currently through the nearly 7% share price drop since hack disclosure.
Lesson: Better regulation is necessary, but regulators AND innovators have a bigger role to play than has been the case to date. It is important to emphasize the necessity of better regulation, not just any regulation. And better regulation requires closer partnership between government and the tech innovation ecosystem – incorporating not just Silicon Valley’s but a global view of where innovation can go and is going so that such regulation (1) at the very least doesn’t stifle innovation while doing what it’s supposed to – provide a better life for a country’s citizens – but furthermore (2) aims to stay ahead of innovation, passing laws that are relevant for decades to come rather than being outpaced by innovation before they even become laws.
One need look not much further than EU’s General Data Protection Regulation (GDPR). GDPR went into effect in May of this year and requires tighter disclosures under heavy penalties for non-compliance, fining companies up to 4% of global revenue for such non-compliance. Innovation by default will have vulnerabilities at the outset because, given how fast technology innovation is moving, today’s secure solution is tomorrow’s most insecure one and therefore a hacker’s bounty. As such, GDPR is not only naïve in its assumption that through penalties it will eradicate security vulnerabilities, it is furthermore a potential innovation-stifling catalyst for startups that cannot afford the penalties proposed by GDPR. Regulators and innovators must work together to reach a better solution, one that (1) does make security vulnerabilities a fiduciary responsibility of each Board member, (2) promotes (rather than stifling) innovation, and (3) provides regulation that has longevity and doesn’t become obsolete as tech innovation does what it does best – sprint. That requires closer collaboration of law makers and innovators than we have seen to date and the question that both sides need to ask themselves is: how can I (better) contribute to the solution?
Problem TWO: If, on the other hand, it truly took Starwood 4 years to uncover someone was on their networks, then its Board was simply not doing enough to protect shareholders, further tripping up fiduciary responsibilities.
Implication: For 4 years, Starwood customers were made vulnerable while hackers were using their data in ways that will unlikely be known for a while. We have not yet seen how this nefariously-obtained data will be used against Starwood customers. We may not know for a while.
Lesson: Focus on not just detection but shortening the time to detection. The tech ventures and technologies we work with and invest in focus on shortening the discovery of a hack to days, not months, and certainly not years as in the case of Marriott/Starwood. There is no excuse for Boards to keep believing they need to sit there like ducks for as long as they do. And shareholders, Marriott’s and otherwise, should expect more.
Problem THREE: Lazard and Citigroup were advisors to Starwood on the acquisition. Congrats for one-upping the competition and steering them away from the honey-pot of data breach issues? Or for not knowing the problem existed to begin with? It’s hard to determine which one is worse…. Deutsche Bank and Goldman Sachs, on the other hand, were advisors to Marriott – one must wonder, where were those bankers when due diligence plans were being drafted and executed, seemingly missing cybersecurity? Marriott should be asking for its money back.
Implication: It appears that investment banks, the very entities that often charge 2%+ of the acquisition price (in this case that would mean 2%+ of the $13bn acquisition price, or $260 million (!)), are currently being absolved of wrong-doing whereas their very job is to in fact spearhead the due diligence on an acquisition. This could be thought of as malpractice….
Lesson: One, make sure you have a robust cybersecurity due diligence check list on any acquisition or investment you’re making. CEOs and Directors that do not have cybersecurity due diligence on their M&A due diligence list honestly don’t belong in their role in this day and age (a couple of years ago when it was more possible to be under the rock – maybe…but not now). Cybersecurity-related fiduciary responsibilities are real, even if laws don’t reflect that yet, and should be taken seriously by Boards. Two, when choosing a financial advisor, regardless of whether it’s Goldman or not, clearly make sure that they are robustly doing cybersecurity due diligence and include performance clauses in their contract that stipulate clawbacks should a cybersecurity breach be discovered thereafter.
Cyber and Technology Risk Leader
6yGood article, Andrezj. The ideas of clawbacks and of being a Board that is ready to do oversight (and improve things like time-to-detect) are important benefits of cyber security risk diligence. Companies we talk to often don't understand the benefits intuitively, and these are great examples. My one "challenge" with your article is that I have not yet met a financial advisor who can do cyber security risk diligence effectively, (which is why some firms specialize in it), but if you have, that is great to hear.
Advisor- Governance, Institutional Reform and Digital Transformations
6yExcellent article, Andrezj!