When Marriott acquired Starwood Hotels and Resorts for $13 billion, it knew it was buying enough properties to become the world’s largest hotel company. 
What it did not know at the time? The Starwood reservation system it was acquiring had been hacked, because of a data breach that began long before the two companies became one.
M&A cyber risk is real. And we just had another example of the different ways it can appear—perhaps when you least expect it.
DNA Diagnostics Center (DDC) just announced a data breach affecting more than two million of its customers’ personal data, including Social Security numbers and financial information.
DDC is a genetic testing laboratory located in Cincinnati, Ohio, that has helped millions of people figure out the truth behind their DNA. They focus on five main areas: paternity and family relationships, fertility testing, lifestyle testing, pets and veterinary, and forensics.
The company says its test collection and analysis are unaffected because  attackers went after something old, something it picked up in an acquisition.
The company explained it its security incident notification:
“On August 6, 2021, DNA Diagnostics Center, Inc. (DDC) detected potential unauthorized access to its network, during which there was unauthorized access and acquisition of an archived database that contained personal information collected between 2004 and 2012.
The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. This system has never been used in DDC’s operations and has not been active since 2012.”
The statement does not explain why the company maintained continued access to an inactive database, which threat actors then took advantage of.
The information accessed includes full names, credit and debit card numbers with CCV, financial account numbers, and platform account numbers. However, it does not appear that medical information was taken in this breach. 
What kind of cyber risks are lurking in the organizations you are acquiring or merging with? Have you looked closely enough at this type of risk?
Toby Zimmerer, Director of Cybersecurity Due Diligence at RSM US, says an increasing number of deals are changing based on what these types of assessments reveal. 
“It’s quite substantial. You know, in the conversations I’ve had with portfolio companies, with buyers and with sellers, there’s a lot of times where the organizations are now taking a step back and saying, ‘how do we amend our purchasing agreements? What are the adjustments we have to take take into consideration?'”
Zimmerer recently spoke at a SecureWorld conference on this topic. 
“Cybersecurity due diligence is a confirmatory review of the acquisition target to uncover liabilities. What’s happened in the past? What are the risks out there that we have to be aware of, from a regulatory or from an industry perspective?
You know, taking a look at when an organization states they have controls in place, really understanding, well, who validated those? Are you leveraging third-party attestation to validate? Are things in place? Are they meeting your requirements?”
And Zimmerer says this extends beyond how a deal will get written to if it can be written at all. Part of the reason is that insurers are more cautious:
“We’re seeing them put in absolute exclusions, if an organization had a past breach, they may not necessarily want to insure that going forward. That has a lot of bearing on how much risk an organization is about to take, how much they actually are going to spend. And ultimately, how are they going to go forward with the deal? We are seeing portfolio companies walk away from deals because they think that there’s too much risk.”
Zimmerer works in the Transaction Advisory Services Practice of RSM US.
What kinds of acquired risk are you hearing about that organizations need to watch for? Let us know in the comments below.

source