REPRINT H04S5O

PUBLISHED ON HBR.ORG
MARCH 05, 2019

ARTICLE
SECURITY & PRIVACY
The Marriott Breach
Shows Just How
Inadequate Cyber Risk
Disclosures Are
by Shivaram Rajgopal and Bugra Gezer

This document is authorized for use only by Raul Diaz (RAULOSJ@GMAIL.COM). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or
800-988-0886 for additional copies.
 SECURITY & PRIVACY

The Marriott Breach

Shows Just How
Inadequate Cyber Risk
Disclosures Are
by Shivaram Rajgopal and Bugra Gezer
MARCH 05, 2019

TIM ROBBERTS/GETTY IMAGES

Another year and another hack and what seems like a very long wait to learn that it happened.
Recently, Marriott waited 11 weeks to reveal that 383 million customer records had been
compromised, exposing at least 25 million passport numbers and 8 million payment cards. Can you

COPYRIGHT © 2019 HARVARD BUSINESS SCHOOL PUBLISHING CORPORATION. ALL RIGHTS RESERVED. 2

This document is authorized for use only by Raul Diaz (RAULOSJ@GMAIL.COM). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or
800-988-0886 for additional copies.
 imagine a company like Marriott waiting for 11 weeks to disclose its quarterly earnings numbers? That
wouldn’t be acceptable; why is waiting that long to disclose this type of incident?

The Marriott breach offers four takeaways that can be useful to both senior managers and regulators:
1) cyber risk disclosure continues to be inadequate; 2) special events such as mergers and associated
cost cutting can trigger cyber breaches; 3) systemic cyber risk in the system is building; and 4) boards
continue to be unprepared or unqualified to deal with cyber risk.

Inadequate disclosure

The only way to make companies take cyber risk seriously is to impose tough disclosure
requirements and actively enforce those rules. The current SEC guidance is vague at best. We are
unaware of an existing requirement in the securities laws that explicitly refers to cybersecurity risks
and cyber incidents. Unfortunately, the SEC’s guidance did not prevent Marriott from waiting almost
three months to reveal a hack involving hundreds of millions of Marriott customer records. The SEC
did pursue two enforcement actions against companies for failure to disclose cyber breaches but
these enforcement actions imposed relatively small settlements and did not materially affect the
companies’ bottom line. In our view, unless the penalty is significant, senior officers of most
companies will simply ignore cyber risk.

We looked at the public filings and associated cyber risk disclosures of Marriott. The data breach was
noticed on September 8, 2018. Marriott filed the 10-Q covering the period ending September 30, 2018
on Nov 6, 2018. Although Marriott devoted two full paragraphs to the threat of cyberattacks in this
filing, there is no mention of the massive data breach nor any disclosure of any economic impact to
the company. Marriott then filed a form 8-K on November 30, 2018, disclosing the cyber-attack. A
form 8-K is supposed to be filed within three days of the relevant material corporate event and for
other types of news the company is capable of acting quickly. For example, when Senator Mitt
Romney resigned from the board of Marriott on November 8, 2018, a Form 8-K was filed on
November 9, 2018.

We then closely examined Marriott’s analysis of the potential economic fallout. The cyber insurance
touted as mitigating factor by the Marriott management could be null and void if the insurers take the
view that this data breach was the result of a coordinated intelligence gathering operation by China
and reached the threshold of “warlike activity.” In addition, we also believe that Marriott might be
exposed to Europe’s GDPR data privacy rules because of this breach although this exposure has not
been mentioned, to our knowledge, by the management or the media. (Under GDPR, breaches must
be reported within 72 hours. As long as at least one Marriott customer legally resides in the EU, this
requirement would apply.)

Fallout of cost cutting from mergers

COPYRIGHT © 2019 HARVARD BUSINESS SCHOOL PUBLISHING CORPORATION. ALL RIGHTS RESERVED. 3

This document is authorized for use only by Raul Diaz (RAULOSJ@GMAIL.COM). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or
800-988-0886 for additional copies.
 When we examined the Marriott data breach in detail, we discovered that the breach occurred in
Starwood’s systems and not in Marriott’s. Somewhat predictably, most, if not all the staff at Starwood
Corporate, including those working in information technology and cyber security, were let go as part
of the cost savings stemming from the merger. Regulators should consider imposing disclosure
requirements about the company’s plan to protect the data infrastructure after a merger. And senior
leaders should carefully consider the potential impact of quickly consolidating staff around critical
data functions.

Systemic cyber-risk

The systemic risk related to cyber breaches is building with every major breach. Once the hacker has
managed to get into the computer systems of a company, the hacker can potentially access that
company’s whole supply chain.

To understand this potential risk better, consider the case of Avendra LLC. Avendra was a company
cofounded by Marriott in 2001 to manage Marriott’s North American procurement process. In 2017,
the company processed $5 billion worth of procurement in North America. If hackers gain access to
Marriott, they could plausibly exploit the linkage with Avendra and place fake orders. This type of
attack is estimated to have cost U.S. businesses $500 million in 2016. We estimate that costs will keep
going up exponentially unless concerted action is taken.

Boards need better expertise

As with many other companies, there is a noticeable absence of expertise in cyber risk management
at the board level and at the executive management level of Marriott. The current board has 13
members but none of them has a cyber security or deep technology background. Marriott does not
have a dedicated cyber risk committee. Like many other companies, Marriott has to lean on external
“experts” to determine the scope, size, and impact of the attack.

We believe that regulators could get companies to focus on cyber readiness and the attendant
systemic cyber-risk exposure by forcing boards of directors to make representations on the cyber
security exposure of the company. Once the board is “on the hook,” corporate accountability should
improve and mitigate the damage from cyber breaches to customers and to society as a whole. Many
companies could learn from Marriott’s story and consider in detail how they would handle such a
major data breach.

Shivaram Rajgopal is the Roy Bernard Kester and T.W. Byrnes Professor of Accounting and Auditing and Vice Dean of
Research at Columbia Business School. His research examines financial reporting and executive compensation issues
and he is widely published in both accounting and finance.

Bugra Gezer is the founder CEO of Cyber Rate L.L.C.

COPYRIGHT © 2019 HARVARD BUSINESS SCHOOL PUBLISHING CORPORATION. ALL RIGHTS RESERVED. 4

This document is authorized for use only by Raul Diaz (RAULOSJ@GMAIL.COM). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or
800-988-0886 for additional copies.