Amid their massive merger, aerospace and defense giants Raytheon and United Technologies are performing extensive cybersecurity due diligence across both companies, according to an SEC filing.
Given (A) the merger's importance to the U.S. federal government and Department of Defense and (B) the current state of cyberattacks, MSSP Alert wonders if the M&A deal has triggered the largest cybersecurity due diligence project in history.
The good news, at least so far: Neither Raytheon nor United Technologies has suffered a significant cyber breach since January 1, 2017, according to a knowledge statement from each company, the filing says. Dig a little deeper into the legal text, and it's easy to see that cybersecurity due diligence is top-of-mind for both companies.
A statement from Raytheon about the company's IT assets and related security covers the following areas:
"Information Technology; Data Protection. The IT Assets of Raytheon and its subsidiaries operate and perform as needed by Raytheon and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Raytheon. Since January 1, 2017, to the knowledge of Raytheon, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any security breaches, unauthorized access, failures or unplanned outages or other adverse integrity or security access incidents (i) affecting the IT Assets of Raytheon or its subsidiaries or any other persons to the extent used by or on behalf of Raytheon or its subsidiaries (or, in each case, information and transactions stored or contained therein or transmitted thereby) or (ii) resulting in a partial or complete loss of control of any products of Raytheon or its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Raytheon. Except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Raytheon, Raytheon and its subsidiaries (A) are and have been since January 1, 2017 in compliance with all Applicable Laws, as well as their own rules, policies and procedures, relating to privacy, data protection and the collection, retention, protection, transfer, use and processing of Personal Data and (B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect Personal Data against unauthorized access, use, loss and damage. To the knowledge of Raytheon, since January 1, 2017, there has been no unauthorized access to, or use, misuse or loss of, or damage to, any Personal Data maintained by or on behalf of Raytheon or any of its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Raytheon."
A similar statement from United Technologies covers these areas:
"Information Technology; Data Protection.The IT Assets of UTC RemainCo and its subsidiaries operate and perform as needed by UTC RemainCo and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on UTC. Since January 1, 2017, to the knowledge of UTC, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any security breaches, unauthorized access, failures or unplanned outages or other adverse integrity or security access incidents (i) affecting the IT Assets of UTC RemainCo or its subsidiaries or any other persons to the extent used by or on behalf of UTC RemainCo or its subsidiaries (or, in each case, information and transactions stored or contained therein or transmitted thereby) or (ii) resulting in a partial or complete loss of control of any products of UTC RemainCo or its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on UTC. Except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on UTC, UTC RemainCo and its subsidiaries (A) are and have been since January 1, 2017 in compliance with all Applicable Laws, as well as their own rules, policies and procedures, relating to privacy, data protection and the collection, retention, protection, transfer, use and processing of Personal Data and (B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect Personal Data against unauthorized access, use, loss and damage. To the knowledge of UTC, since January 1, 2017, there has been no unauthorized access to, or use, misuse or loss of, or damage to, any Personal Data maintained by or on behalf of UTC RemainCo or any of its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on UTC."
The filing, to the best of MSSP Alert's knowledge, did not mention how the combined Raytheon and United Technologies would manage their respective MSSP, cybersecurity and physical building security businesses.
Mergers, Acquisitions: Cyber Due Diligence and Breach Costs
Meanwhile, M&A deals within key verticals face growing cyber due diligence regulations. And for good reason. Numerous companies have discovered acquired assets suffered cyberattacks before, during or after an M&A process is complete. High-profile victims include Marriott, which has paid about $28 million to clean up a cyber breach at acquired assets Starwood Hotels. Cyber insurance apparently covered about $25 million of the costs.