The $350 Million Lesson Marriott Learned After Closing the Deal

When Marriott acquired Starwood Hotels in 2016, the deal looked like a hospitality industry win. What nobody caught during cybersecurity due diligence was that Starwood's reservation system had been compromised since 2014. The breach wasn't discovered until 2018, exposing roughly 500 million guest records. The UK's ICO slapped Marriott with an £18.4 million fine, and the FTC launched its own investigation. Marriott inherited a data breach as part of the acquisition — and the liability that came with it.

That's what happens when cybersecurity due diligence is treated as a checkbox exercise instead of a genuine investigation. Whether you're evaluating a vendor, closing an acquisition, or auditing your own organization's security posture, the stakes are real and the consequences are measured in hundreds of millions of dollars. This post breaks down what cybersecurity due diligence actually involves, where most organizations fail, and the specific steps I've seen separate the prepared from the exposed.

What Is Cybersecurity Due Diligence?

Cybersecurity due diligence is the systematic evaluation of an organization's security controls, threat exposure, data handling practices, and incident history. It applies in mergers and acquisitions, vendor onboarding, partnership agreements, regulatory compliance reviews, and internal security audits. The goal is straightforward: understand the real risk before you accept it.

This isn't just an IT exercise. It's a business-critical investigation that touches legal, compliance, operations, and finance. In my experience, the organizations that treat it as purely technical miss the biggest risks — the ones hiding in contracts, vendor relationships, and employee behavior.

Why Most Due Diligence Programs Fail Before They Start

I've reviewed due diligence reports that were 80 pages long and still missed critical exposures. The problem isn't usually a lack of effort. It's a lack of focus on the right things.

Over-Reliance on Self-Reported Questionnaires

Most vendor and M&A due diligence starts with a security questionnaire. The target fills it out, checks the right boxes, and everyone moves on. The problem? According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches involve the human element — including social engineering, credential theft, and errors. A questionnaire won't surface those risks. It tells you what someone says they do, not what they actually do.

You need to verify. That means reviewing actual configurations, testing controls, and examining incident response logs — not just reading policy documents.

Ignoring Third-Party and Supply Chain Risk

Your target organization might have excellent internal security. But what about their vendors? The SolarWinds attack demonstrated that a single compromised supplier can cascade into thousands of downstream breaches. CISA's guidance on supply chain compromise makes this crystal clear: you inherit the risk of every third party your partner trusts.

Effective cybersecurity due diligence maps the entire supply chain — at least two levels deep — and evaluates the security posture of critical vendors.

The $4.45M Data Breach You're Trying to Prevent

IBM's 2022 Cost of a Data Breach Report pegged the global average breach cost at $4.35 million. The 2023 report pushed that to $4.45 million. For organizations in heavily regulated industries like healthcare and finance, the figure is significantly higher.

Here's the part that directly relates to due diligence: breaches identified in fewer than 200 days cost an average of $1 million less than those that lingered longer. The Marriott-Starwood breach went undetected for four years. Speed of detection matters, and due diligence is your opportunity to find problems before they compound.

A Practical Cybersecurity Due Diligence Checklist

I'm not going to give you a 200-item spreadsheet. I'm going to give you the areas that matter most, based on real incidents and enforcement actions I've tracked over the past decade.

1. Data Inventory and Classification

Before you evaluate how data is protected, you need to know what data exists and where it lives. Ask specifically:

  • What categories of personal data, financial data, and intellectual property are stored?
  • Where is this data stored — on-premises, cloud, hybrid?
  • Who has access to it, and how is access controlled?
  • Is there data the organization doesn't know about (shadow IT)?

The FTC has repeatedly cited inadequate data inventory as a contributing factor in enforcement actions. If you don't know what you have, you can't protect it.

2. Incident History and Response Capability

Ask for a complete history of security incidents over the past five years. Not just breaches — include near-misses, phishing incidents, ransomware attempts, and any law enforcement involvement. Review their incident response plan and, critically, ask when it was last tested.

An organization that has never run a tabletop exercise or phishing simulation is an organization that will fumble its response when a real threat actor shows up. I've seen companies with beautiful IR plans on paper that fell apart the moment an actual ransomware payload detonated.

3. Technical Security Controls

This is where you dig into the specifics:

  • Multi-factor authentication (MFA): Is it enforced across all critical systems, including email, VPN, and admin consoles? The FBI's IC3 2022 Internet Crime Report documented $10.3 billion in losses, with business email compromise and credential theft leading the way. MFA stops the majority of credential-based attacks.
  • Endpoint detection and response (EDR): Antivirus isn't enough. You need active monitoring and response capabilities on every endpoint.
  • Network segmentation: Can a single compromised workstation reach the crown jewels? If yes, that's a deal-affecting finding.
  • Encryption: Data at rest and in transit. Verify the implementation, not just the policy.
  • Zero trust architecture: Has the organization moved toward a zero trust model, or is it still operating on implicit trust within the network perimeter?

4. Security Awareness and Human Risk

Every technical control in the world won't protect you if employees click malicious links and hand over credentials. The human element remains the top attack vector, and your due diligence needs to assess how the target organization addresses it.

Look for evidence of ongoing cybersecurity awareness training — not a one-time onboarding video, but a sustained program with regular updates. Ask for phishing simulation results. Organizations running regular phishing awareness training for their employees can typically show click-rate trends over time. If they can't produce those metrics, they probably aren't running simulations.

Map the target's regulatory obligations: HIPAA, PCI DSS, GDPR, CCPA, SOX, GLBA — whatever applies. Then verify compliance status. Are there outstanding audit findings? Have they been subject to regulatory investigations? Are there pending lawsuits related to data handling?

The FTC's enforcement actions against companies like Drizly and CafePress show that regulators are increasingly holding organizations — and even individual executives — personally accountable for security failures.

6. Contractual and Insurance Review

Review cyber insurance policies. What's covered? What's excluded? What are the notification requirements? I've seen acquisitions where the target's cyber insurance explicitly excluded the type of breach they were most likely to experience. That's a material finding.

Also review contracts with key vendors and customers. Many enterprise contracts include security requirements, breach notification obligations, and indemnification clauses that create hidden liability.

How Cybersecurity Due Diligence Differs in M&A vs. Vendor Management

Mergers and Acquisitions

In M&A, you're buying the entire risk profile. Every unpatched server, every compromised credential, every regulatory violation becomes yours at close. The Marriott-Starwood case is the textbook example, but it's far from the only one. Verizon famously negotiated a $350 million discount on its Yahoo acquisition after two massive breaches were disclosed during due diligence.

M&A cybersecurity due diligence should begin in the letter-of-intent phase and continue through integration. Post-close, you need a 90-day integration security plan that addresses the highest-risk findings immediately.

Vendor and Third-Party Assessments

Vendor due diligence is ongoing, not one-and-done. A vendor that passed your assessment 18 months ago may have changed platforms, lost key security staff, or suffered an unreported incident since then. Build continuous monitoring into your vendor risk management program. At minimum, reassess critical vendors annually and after any significant change in their environment.

The Zero Trust Connection

Zero trust isn't just a network architecture — it's a due diligence philosophy. Never trust, always verify. That applies to the answers on a security questionnaire just as much as it applies to network traffic.

NIST Special Publication 800-207 provides the framework for zero trust architecture, and its principles map directly to due diligence: verify explicitly, use least-privilege access, and assume breach. If you approach every due diligence engagement with the assumption that something is wrong and your job is to find it, you'll produce dramatically better results.

Building a Due Diligence Team That Actually Works

Effective cybersecurity due diligence requires a cross-functional team. In my experience, the best teams include:

  • A senior security practitioner who can evaluate technical controls and read between the lines of a SOC 2 report.
  • Legal counsel with data privacy and regulatory expertise.
  • A business stakeholder who understands the operational context and can assess whether security findings are deal-breakers or manageable risks.
  • A third-party penetration tester for high-stakes assessments — especially M&A. Internal teams may lack the objectivity or specialized tooling needed for a thorough evaluation.

The team should have a clear escalation path for critical findings. A discovered active breach during due diligence changes the entire timeline — your team needs authority to pause the process if warranted.

What Happens After the Assessment

A due diligence report that sits in a drawer protects nobody. Every finding needs an owner, a remediation timeline, and a verification step. For M&A, critical findings should be addressed in the purchase agreement — through price adjustments, escrow holdbacks, or specific remediation commitments with contractual teeth.

For vendor assessments, findings should feed into your risk register and inform contract negotiations. If a vendor refuses to remediate a critical finding, that tells you everything you need to know about working with them.

Your People Are Part of the Due Diligence Equation

Technical assessments and policy reviews only tell part of the story. The organizations I've seen with the strongest security postures invest heavily in their people. They run regular security awareness programs, conduct phishing simulations, and build a culture where employees report suspicious activity without fear of blame.

If you're evaluating another organization's security — or your own — and you find that security awareness training is outdated, infrequent, or nonexistent, that's a red flag on par with an unpatched critical vulnerability. Threat actors exploit people just as readily as they exploit software. Social engineering remains the most reliable initial access vector for sophisticated attackers and opportunistic criminals alike.

Start building that human firewall now. Enroll your team in structured cybersecurity awareness training and complement it with ongoing phishing simulation exercises that keep employees sharp against real-world social engineering tactics.

Cybersecurity Due Diligence Is a Continuous Discipline

The threat landscape shifts constantly. A due diligence assessment is a snapshot — it tells you the risk at a specific moment in time. Organizations that treat it as a one-time event get blindsided when conditions change.

Build due diligence into your operational rhythm. Reassess after major infrastructure changes, leadership transitions, and new regulatory requirements. Monitor for indicators of compromise in your partners and vendors. Make it part of your culture, not just your deal process.

The organizations that do this well don't just avoid the next Marriott-sized catastrophe. They build a security posture that becomes a genuine competitive advantage — one that customers, regulators, and partners can trust.