gvt

The need for cyber due diligence in a merger or acquisition is more relevant than ever. On 9 July 2019, the UK Information Commissioner's Office (ICO) announced that it would issue Marriot International with a £99 million fine for breach of European data protection law under the European Data Protection Regulation (GDPR). The fine relates to a breach of Starwood Hotels, one of Marriot International's recent acquisitions. Over 500 million of its guests may have been affected. The ICO's report says "Marriot failed to exercise sufficient diligence in the Starwood acquisition and should have done more to secure its systems". This failure underscores the need for parent companies and investment firms to improve their management of the security and privacy risks associated with their acquisitions and subsidiaries and to reckon with appropriate sanctions. Mergers and acquisitions inevitably entail financial, legal and reputational risks. The Marriott case is one [...]