When a deal is moving, cybersecurity is rarely the thing anyone wants to slow down for. The financials are scrutinized, the legal terms are negotiated line by line, and the integration plan gets mapped out in detail. The target’s security posture, meanwhile, often gets a quick checkbox and a question about whether they carry cyber insurance. I have watched that shortcut turn into one of the most expensive mistakes a company can make, because the moment you acquire a business, you acquire its security posture along with everything else, the good and the dangerous alike.
This is not a theoretical risk. It is one of the costliest categories of error in modern deal-making, and the most instructive example is a deal that closed years ago and is still being studied today.
The Lesson of Marriott and Starwood
In 2016, Marriott completed its acquisition of Starwood Hotels and Resorts for over twelve billion dollars, combining the two companies into the largest hotel chain in the world. Marriott described it as a smooth transaction. The market responded positively. The strategic logic was sound.
What Marriott did not know was that attackers had been inside Starwood’s reservation system since 2014, two years before the acquisition even closed, and they remained there undetected. Marriott only discovered the intrusion in September 2018, two years after the deal completed. By then the breach had exposed the personal data of roughly five hundred million guests, including names, addresses, dates of birth, passport numbers, and payment card details.
The financial and reputational hit landed on Marriott, not Starwood. Regulators concluded that Marriott had failed to conduct sufficient cybersecurity due diligence when it bought Starwood and should have done more to secure the combined systems. The UK regulator alone pursued penalties in the tens of millions, and the broader cost across fines, lawsuits, and remediation ran far higher. The security weaknesses in Starwood’s network were the kind that a thorough assessment should have surfaced well before the deal closed.
The most important detail for any business owner is this: validating that a target carries a cyber insurance policy is not due diligence. Marriott’s own filings around the deal treated insurance as the primary protection against data breaches. Insurance pays out after the damage is done. It does not find the attacker already living in the network you are about to buy.
Why Acquisitions Create Unique Risk
Mergers and acquisitions concentrate several cyber risks into a single, high-pressure window. Understanding why helps explain where to focus.
You inherit blind spots you did not create
Any organization that acquires another business and its IT assets inherits major security blind spots unless the right tools are in place to find them. The target’s misconfigurations, unpatched systems, dormant accounts, and undetected intrusions all become yours at closing. You cannot protect what you do not know you have, and an acquired environment is full of things you have never inventoried.
Attackers know deals are noisy
During integration, systems are being connected, credentials are being shared, staff are distracted, and normal security routines are disrupted. That noise is exactly the cover an attacker wants. A merger is one of the few moments when two networks are deliberately being joined, which means a weakness on either side can suddenly reach across both.
Liability transfers with the asset
Acquiring companies have repeatedly become liable for inherited vulnerabilities, facing shareholder suits, class actions, and regulatory investigations over breaches that originated in the company they bought. Known risks and existing breaches also affect the acquisition price and the structure of the deal itself, which is why surfacing them early protects your negotiating position, not just your network.
Building Cyber Due Diligence Into the Deal
The fix is to move security from the closing phase, where it traditionally lived, to the evaluation phase, where it belongs. For a long time security teams were only brought in near the end of a transaction to handle integration. By then it is too late to discover a problem like the Starwood breach before the deal is signed. Here is how to do it properly.
- Assess the target’s posture before you sign. A thorough cybersecurity assessment must be part of the diligence process, not the integration plan. Evaluate the target’s controls, monitoring, incident history, and data protection practices with the same rigor you apply to its financials.
- Build a full asset inventory. Map every system, application, and data store the target holds. Marriott’s failure to fully integrate and secure the Starwood network was a critical oversight, and it started with not knowing the full scope of what had been acquired.
- Hunt for active and historical compromise. The Starwood attackers sat undetected for four years. Prevention alone fails, so the diligence process needs active threat hunting and a review of the target’s monitoring and detection history to catch an intruder who may already be present.
- Strengthen the contract. Specific representations and warranties around cybersecurity and data privacy help shift some post-closing risk, particularly for past or ongoing attacks. They are not a substitute for diligence, but they are a meaningful backstop the Marriott deal notably lacked.
- Plan secure integration before closing. Decide in advance how the two environments will be joined, which systems will be retired, and how shared security policies will apply across the combined company. Uniform defenses across both organizations close the gaps that integration would otherwise open.
After the Deal Closes
Signing is not the finish line. The integration period is where inherited risk either gets contained or quietly expands. Marriott retired the Starwood systems and invested heavily in its security posture after 2018, yet it experienced another breach in 2022, a reminder that cybersecurity is an ongoing discipline rather than a one-time cleanup.
Three priorities matter most in the months after closing. First, bring the acquired environment under continuous monitoring immediately, so any dormant threat is caught early rather than years later. Second, unify access governance and decommission the orphaned accounts and legacy systems that integrations leave scattered behind. Third, apply a single, shared set of security policies across the combined organization so you are not defending two different standards at once.
Done well, this is also where deal value gets protected. A clean, well-secured integration preserves the customer trust and operational continuity that justified the acquisition in the first place. Done poorly, it can erase a meaningful share of the value the deal was supposed to create.
Protecting the Value You Paid For
A merger or acquisition is one of the largest investments a company ever makes. The cyber risk it carries is not a reason to walk away from good deals; cyber issues rarely kill a transaction outright. It is a reason to look before you commit, to price what you find, and to integrate with discipline. The companies that treat security as a core part of diligence protect both the transaction’s value and their own reputation. The ones that treat it as a closing-day formality inherit someone else’s breach and pay for it for years.
If you are evaluating an acquisition or working through a post-merger integration and want the target’s security posture assessed before it becomes your problem, Alchanis Technical Services brings that work into the deal where it belongs. Begin the conversation at alchanistech.com.
