Marriott waited 11 weeks to reveal that 383 million customer record had been compromised, exposing at least 25 million passport numbers and 8 million payment cards. Can you imagine Marriott waiting for 11 weeks to disclose its quarterly earnings numbers? That wouldn’t be acceptable; why is waiting that long to disclose this incident? The Marriott breach offers four key lessons for senior managers and regulators: (i) cyber risk disclosure continues to be inadequate; (ii) special events such as mergers and associated cost cutting can trigger cyber breaches; (iii) systemic cyber risk in the system is building; and (iv) boards continue to be unprepared or unqualified to deal with cyber risk.
Another year and another hack and what seems like a very long wait to learn that it happened. Recently, Marriott waited 11 weeks to reveal that 383 million customer records had been compromised, exposing at least 25 million passport numbers and 8 million payment cards. Can you imagine a company like Marriott waiting for 11 weeks to disclose its quarterly earnings numbers? That wouldn’t be acceptable; why is waiting that long to disclose this type of incident?
The Marriott breach offers four takeaways that can be useful to both senior managers and regulators: 1) cyber risk disclosure continues to be inadequate; 2) special events such as mergers and associated cost cutting can trigger cyber breaches; 3) systemic cyber risk in the system is building; and 4) boards continue to be unprepared or unqualified to deal with cyber risk.
The only way to make companies take cyber risk seriously is to impose tough disclosure requirements and actively enforce those rules. The current SEC guidance is vague at best. We are unaware of an existing requirement in the securities laws that explicitly refers to cybersecurity risks and cyber incidents. Unfortunately, the SEC’s guidance did not prevent Marriott from waiting almost three months to reveal a hack involving hundreds of millions of Marriott customer records. The SEC did pursue two enforcement actions against companies for failure to disclose cyber breaches but these enforcement actions imposed relatively small settlements and did not materially affect the companies’ bottom line. In our view, unless the penalty is significant, senior officers of most companies will simply ignore cyber risk.
We looked at the public filings and associated cyber risk disclosures of Marriott. The data breach was noticed on September 8, 2018. Marriott filed the 10-Q covering the period ending September 30, 2018 on Nov 6, 2018. Although Marriott devoted two full paragraphs to the threat of cyberattacks in this filing, there is no mention of the massive data breach nor any disclosure of any economic impact to the company. Marriott then filed a form 8-K on November 30, 2018, disclosing the cyber-attack. A form 8-K is supposed to be filed within three days of the relevant material corporate event and for other types of news the company is capable of acting quickly. For example, when Senator Mitt Romney resigned from the board of Marriott on November 8, 2018, a Form 8-K was filed on November 9, 2018.
We then closely examined Marriott’s analysis of the potential economic fallout. The cyber insurance touted as mitigating factor by the Marriott management could be null and void if the insurers take the view that this data breach was the result of a coordinated intelligence gathering operation by China and reached the threshold of “warlike activity.” In addition, we also believe that Marriott might be exposed to Europe’s GDPR data privacy rules because of this breach although this exposure has not been mentioned, to our knowledge, by the management or the media. (Under GDPR, breaches must be reported within 72 hours. As long as at least one Marriott customer legally resides in the EU, this requirement would apply.)
Fallout of cost cutting from mergers
When we examined the Marriott data breach in detail, we discovered that the breach occurred in Starwood’s systems and not in Marriott’s. Somewhat predictably, most, if not all the staff at Starwood Corporate, including those working in information technology and cyber security, were let go as part of the cost savings stemming from the merger. Regulators should consider imposing disclosure requirements about the company’s plan to protect the data infrastructure after a merger. And senior leaders should carefully consider the potential impact of quickly consolidating staff around critical data functions.
The systemic risk related to cyber breaches is building with every major breach. Once the hacker has managed to get into the computer systems of a company, the hacker can potentially access that company’s whole supply chain.
To understand this potential risk better, consider the case of Avendra LLC. Avendra was a company cofounded by Marriott in 2001 to manage Marriott’s North American procurement process. In 2017, the company processed $5 billion worth of procurement in North America. If hackers gain access to Marriott, they could plausibly exploit the linkage with Avendra and place fake orders. This type of attack is estimated to have cost U.S. businesses $500 million in 2016. We estimate that costs will keep going up exponentially unless concerted action is taken.
Boards need better expertise
As with many other companies, there is a noticeable absence of expertise in cyber risk management at the board level and at the executive management level of Marriott. The current board has 13 members but none of them has a cyber security or deep technology background. Marriott does not have a dedicated cyber risk committee. Like many other companies, Marriott has to lean on external “experts” to determine the scope, size, and impact of the attack.
We believe that regulators could get companies to focus on cyber readiness and the attendant systemic cyber-risk exposure by forcing boards of directors to make representations on the cyber security exposure of the company. Once the board is “on the hook,” corporate accountability should improve and mitigate the damage from cyber breaches to customers and to society as a whole. Many companies could learn from Marriott’s story and consider in detail how they would handle such a major data breach.