Merger and Acquisition Woes
Supply Chain Risks
Misconfigured S3 continues to be the biggest challenge:
Last week there were reports that a hotel reservation platform used by some of the leading hotel booking websites left data belonging to millions of guests exposed on a misconfigured AWS S3 bucket. The hotel reservation platform allows hotels to automate their availability on online booking sites. Reports suggest that details of guests were stored by this platform without any protection in place, putting millions of people at risk. To learn more about cloud misconfiguration read our blog here
The report also suggests that credit card details of 100,000s of people have been exposed. This is also a potential breach of GDPR and PCI DSS requirements. The S3 bucket that was misconfigured contained data that appeared to originate from some of the most popular hotel booking websites.
Importance of Due diligence
Due diligence is critical to identify and remediate any risks before an M&A transaction is finalized, or before onboarding a new vendor. While operations, sales, finance, and legal due diligence are mostly relied upon, it is important for organizations to understand that cybersecurity due diligence represents a key component of the entire process. A detailed cybersecurity due diligence is critical to identify any critical weaknesses in security posture and risks that may prove to be a deal breaker.
What went wrong?
In the case of the hospitality group and the booking websites, it appears that adequate security due diligence was not done prior to the acquisition and vendor onboarding. The acquiring company is going to have to pay fines for events that happened before they had responsibility for the acquired company.
How could it have been avoided?
Any risks that are identified as part of the due-diligence should be reported and should form part of the conditions precedent and conditions subsequent to deal closure. Customer’s should constantly monitor the security posture of their vendors. This becomes more important than ever in the cloud. The security requirements or the security maturity that a customer expects from their vendors should be articulated well in their contracts. Vendors should be audited regularly to check their compliance with security requirements.
Enterprises should understand that the cyber risks expose them not only to financial loss and regulatory supervision but also reputational loss. For enterprises that have a B2C business model, reputation and brand value is everything. If reputation is lost, everything is lost!!!