Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Compliance Considerations When Acquiring Hotel Properties
Quick Take
On this episode of Compliance Unfiltered, the CU guys have a chat about the wonderful world of acquisitions, specifically in the hotel space.
Adam gives a solid background on the Hotel acquisition arena and shares some key details with the listeners about where to get started from a compliance perspective.
Wondering what tools folks are using in the space? Looking for ways to avoid the common pitfalls of the process? Just trying to get your footing on how to be best prepared?
Well, you’re in luck! All these answers and more on this week’s Compliance Unfiltered.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the mint on your compliance pillow, Mr. Adam Goslin. How the heck are you, sir?
I am doing fantabulous today, Todd. How about yourself?
I cannot complain. I certainly cannot. Today, we’re going to chat about compliance considerations when acquiring hotel properties. Now, going through an acquisition in any form is a harrowing experience. Tell us more at a high level about the pitfalls of acquisitions.
Well, you know, I had part of this came up because I had a client that asked me to give them some assistance with onboarding an organization that they had decided to acquire and the due diligence had already been performed, you know, which which kind of influenced the decision to make the acquisition. But, you know, I quickly found all sorts of issues that weren’t discovered during due diligence, but should have been. And, you know, there were multiple compliance items should have been in place that were missing, you know, even though they had been reported as being present during the acquisition process. And as a result, the remediation costs just went through the roof. It was it was supposed to be a profitable acquisition that, you know, quickly turned into a money pit of sorts. And, you know, fortunately, the client was able to turn the situation around and make the needed improvements and, you know, eventually come out in the black. But, you know, the the expected financial rewards, you know, began as a as a big loss for a while. And so, you know, it’s not a unique story, it happens too frequently and especially when compliance scrutiny is lacking you know, on the on the first pass of the of that due diligence experience, the, you know, a organization that was seeking, you know, that was the one being acquired, you know, was claiming to be compliant with a particular standard, produce paperwork that was ostensibly for an assessment. And, you know, to the untrained eye, the documentation, you know, at a high level would look solid. But, you know, veteran compliance experts would have would have seen the organization and the assessor were basically paying lip service to their, you know, to the compliance program. And, you know, the client had just taken the the assessment at face value and trusted that, oh, well, it’s got a it’s got a report and it’s going to have a certain amount of rigor involved. And it just frankly didn’t, you know, and, you know, those bad assumptions drove decisions for making the acquisition. It wasn’t until it was too late that they realized just, you know, what exactly wasn’t in place. And so, you know, there were there were a lot of important elements to, you know, there’s certainly a lot of important elements to examine when, you know, your hospitality organization is is, you know, out seeking and purchasing new properties. You know, most of the attention is, you know, whatever financial and infrastructure and things along those lines. But, you know, the the numbers, if you will, the financial numbers don’t tell the entire story, you know, their financials might look great. But if they’re compliant compliance programs, smoke and mirrors, then, you know, all of a sudden dollars you were expecting aren’t, you know, aren’t appearing. So, you know, that’s the that’s kind of the a little bit of the background, if you will, on, you know, how we came about came about this topic, so to say.
Sure, sure. So how should organizations start that process from a compliance perspective to get their ducks in a row?
Well, you know, for the one thing that I would recommend, if you’re not wanting to have some unpleasant surprises, you know, during that acquisition, just making certain that you’ve got a seasoned compliance consultant that can quickly, you know, spot the signs of trouble. You know, just remember that, you know, the property has an incentive to appear as desirable as possible. And the more positively they present themselves and the higher the sale price. And without, you know, a knowledgeable, without a knowledgeable person running the due diligence that can, you know, identify the skeletons in the closet, then, you know, you don’t want to be walking into, you know, either walking into a money pit or walking into a situation where profits you expected now aren’t there. Because that’s not going to work out well for anybody. So, you know, a good, a good experience compliance consultant, they can help to ensure you’re asking the right questions. They can look for the skeletons in the closets. They can plan onboarding strategies that lines up with your organization and, you know, and, you know, and, and, and, and I’ve done numerous of these, you know, of these over the years. And when the, when the organization doing the acquiring, you know, has somebody of a, you know, a good caliber that’s helping them, it is, it is really astronomically valuable when all is said and done.
What are some things that one needs to gather and review during the due diligence process?
Well, certainly, as you’re going through that process, making sure you got as full of a picture of their security and compliance program would be good, requesting their reports, requesting their reports as an example. Also, there’s NDAs and things along those lines that are in place between the organization. So you would have the opportunity to get expanded, and really, you have the right at that point in the game to request things that most organizations aren’t sharing with third parties, if you will, things like the device inventory, the network and data flow diagrams that they’ve got, copy their firewall rules, etcetera. Those core elements like that are the ones that are driving the other controls across the compliance program. So getting some of those core elements is certainly a good place to start. If those don’t appear to be terribly thorough or correct, then that’ll give you some signs about what you’re in for. And the other piece is just receiving any compliance reporting that they do. It depends on the organization and which standards they’re subject to, but certainly if you’re in the hospitality industry, then you can expect PCI comes into play at bare minimum, maybe more. But don’t make the mistake of just get the reports and take a quick whiz through the executive summary and throw it in the filing cabinet. That approach was exactly how the prior client that I was talking about ended up with months and months of losses and whatnot, and having to throw additional money they weren’t expecting. It’s really critical to dig into that target acquisition reports with a fine-tooth comb. Make sure that the reports that you’re getting align with the scope of the compliance that the organization’s responsible to meet. Making sure that you’re looking for any oddities or unusual details that you wouldn’t expect to find. Paying attention to red flags that may be popping up regardless of how small they appear to be. The most important part is just asking plenty of good questions about the standards they comply with, their overall compliance program, and don’t settle for high-level, I just Googled it, generalized answers. Anybody that’s been in this space for a while, you can tell the difference between the fake it till you make it and the ones that actually know what the hell they’re talking about. So, making sure you understand the scope of the standards that they leverage to apply to their property. Does the hotel appear to be in fundamental alignment with those standards? And it depends on a lot of factors, including things like tools and technology, so to speak.
Well, what attention should be paid to the equipment that they’re using?
Well, you know, considering the standards that you’re going up, you know, up against and most likely privacy and, you know, privacy concerns and PCI, the equipment that they own, you know, it really comes into play, right? How old is it? Is it still supported? Is it up to snuff or, you know, for the compliance standards, you know, etcetera? So, you know, as you’re digging into, you know, kind of the inventory and equipment that they’ve got, you know, taking a look and seeing, you know, that’s certainly part of the evaluation process. Are we going to have to, are we going to be able to, you know, what’s our game plan? Are we going to be able to leverage what they’ve got for the moment? Are we going to kind of change them over to our, you know, general corporate standard equipment? How quickly are we going to need to do that? Is there stuff better? Yeah. I’ve seen this happen a couple of times. Is there stuff better than ours? Right? Maybe we can learn a thing or three, you know, type of thing. So, you know, it’s really just kind of a take a look at. But if you’ve got an out of date, no longer supported POS system, well, you know, that’s being used kind of globally across the, you know, across the acquisition. Well, now I’m walking in knowing that I’m going to have to put a substantial amount of dollars into not only, you know, quickly, you know, deploying, you know, deploying equipment and capital expenses right out of the gate, you know, but you’ve also got to be able to kind of navigate the waters between here and there so that you’re not impacting the, you know, the overall organization’s state of compliance either. So, you know, it’s just some various considerations for, you know, from an equipment perspective.
Well, speaking of considerations, what considerations regarding the infrastructure they’re leveraging for the system are, should be paid?
Well, when you’re going in and looking at the new property, it’s not just the property you’re acquiring, but often it’s a group of properties that are going to be coming in. You may have everything integrated into a single infrastructure, but you’ve got multiple cultures and ways of working and things along those lines, so it’s going to all add complexity to the compliance program. You’ve got your own existing list of hardware software, you’re bringing in this organization with their own list of hardware software, etc. And so if you may or may not be familiar with the stuff you’re getting, one consideration as you’re going through the acquisition most certainly is to make sure you’re retaining people from the acquisition company who have the capability to manage and maintain that environment, certainly if it’s equipment that you’re not familiar with, otherwise you could risk losing the capability to support the critical information and technology that came along with that purchase. It’s certainly a key business concern just for maintaining operations, but also making sure you’ve got that under control ensures that you’re also paying appropriate attention to how you’re going to handle the compliance challenges as you roll down that hill. If you’re bringing in a new POS system, then are you going to, like I say, maintain it for a period of time, are you going to get right out of the gate, are you going to go make an investment in standardization, are you going to transition from one platform to another, etc. So the acquisition really introduces some new things for the organization. It’s certainly easier to maintain one platform across the board, but for some organizations not easily or readily feasible to do, hell, sometimes you want to go do it, but the equipment that you’d like to go deploy isn’t available, it’s on back order, whatever. So there’s a lot of things that are going to kind of play into it, but just the most important part is keeping in mind regardless whether their stuff is great and you want to go that route or you don’t want to get them standardized with the stuff you’re already doing and using to gain that standardization. Either way, you’ve got training that’s going to come on top of that, rollout, installs, getting things working, all that fun stuff. So there’s a lot of forethought and planning that kind of comes into play when it comes down to the time to go in and figure out what do you want to do with what you’re about to acquire.
Fair. Now what scope considerations are there as it relates to the acquisition?
Well, you know, during the, you know, during this due diligence process, etcetera, I mean, you’ve got to look at the, your existing, um, you know, compliance controls, the scope that you’ve got today, um, you know, and whether or not you’re going to either need to retract or expand the scope as a result of the, you know, maybe the unique compliance needs of the, uh, of the target you’re acquiring, um, you know, certainly you’ve got to make sure that you’ve got all the assets and, you know, artifacts and whatnot up to date. So you’re basically going to, as soon as you, you know, as soon as you go in and do the acquisition, you’re going to have to go, uh, you know, roll out a whole bunch of updates to, you know, the inventory and network diagrams, data flows and da da da da. So, um, you know, certainly you’re going to have to go through the, you know, the full suite of controls. Um, and as you’re kind of making those adjustments to the, you know, your scope for compliance, um, you know, there may be areas where you can, uh, you know, where you can, uh, you know, expand or contract. So, you know, updating the scope for your internal and your external vulnerability scans, updating the scope for your penetration testing, um, you know, making sure that you’ve got all the new assets that you plan to go load over to the inventory, uh, you know, uh, making sure that you’ve updated your, you know, kind of patch management system. If you’re, if you’re bringing on, you know, bringing on their hardware, even if temporarily, I’m going to have to keep that, you know, keep that stuff patched, etcetera. So, you know, just, you got to kind of walk in eyes wide open. Once I know how we’re going to go philosophically, how are we going to go about doing the acquisition and which path we’re going to take, you know, knowing and understanding those ripple impacts to the, you know, kind of the scope of your existing engagement, you know, you definitely don’t want to, you know, don’t, it’s, you know, you don’t want to, but you, it’s a hell of a lot easier if you’ve already thought that stuff through so you can, uh, you’ll kind of handle it in stride.
What are some best practices the listeners can adopt to avoid any unpleasant compliance surprises, we’ll say?
Well, you know, we talked about it early on, um, certainly I’d echo it again, engage a seasoned compliance expert, um, you know, make sure that whoever it is, that they’ve got, uh, a deep level of experience, uh, with due diligence, not just finance, not just legal, you know, type of a thing, but literally IT and security compliance due diligence exercises, um, you know, cause it’s really a different, uh, a different skillset. What I’ve seen in general is that, uh, um, the, the toolbox for those in the due diligence arena often falls, I’ll call it quite short when it comes to the, you know, the compliance side of things, um, you know, validating that documentation thoroughly. So, uh, you know, don’t just take, you know, take in their search and their reports, etcetera, at face value, but, you know, dig deeper, request evidence, poke prod, you know, figure out how are these guys doing what they’re doing day by day, getting, you know, kind of almost get into their shorts a little bit on that one. Um, you know, looking at the technology and support status for across, you know, audit the hardware, the software, uh, make sure that you’ve got everything is supported, um, that everything is compliant with current requirements, etcetera is another one. Um, you know, checking through their inventory and diagrams. Uh, we talked earlier about the inventories, system network, data flow, diagrams, firewall rules, patch lists, et cetera. So go through all of that. Um, also look at, uh, you know, look at the organizational knowledge, you know, you want to retain or, and absorb, uh, personnel that are holding critical or crucial systems knowledge to be able to avoid gaps post acquisition. Um, you know, going through, uh, going through and looking at the scoping of those, uh, compliance controls, um, you know, walking through, doing your updates for phone scanning, pen testing, uh, you know, patching and, and, uh, you know, security awareness training for, you know, for the, you know, for the new, newly acquired and folding them into your existing processes. There’s a, you know, just a suite of things that are going to, going to need to take place once you execute on the, on the acquisition. Um, so just being, being ready and being prepared for it. Um, you know, planning, you know, planning for, you know, that integration versus standardization, um, you know, decision, um, you know, making that conscious strategic decision about, you know, whether do we migrate, do we maintain the hybrid support model, um, you know, factoring in, you know, any of the transitional risk and training needs as you’re going through that process, but the, you know, the, the important part there is just having that game plan upfront, knowing what it is that we’re going to go about doing in some cases. I know I kind of, you know, earlier I was saying, Oh, do I, you know, do I toss their stuff and keep ours? Do I keep their stuff and toss ours? It may very well be, Hey, go let them both sit there, run side by side, etcetera.
Learn what the, you know, you already know the benefits and the drawbacks of what you’ve got. So give their, you know, give the, the newly acquired stuff a little time to season, if you will, learn a little bit more about it. You may, you may actually learn some things and, you know, maybe they’ll be able to, to, to kind of bring some, some new ideas to the table. Um, you know, certainly looking for, uh, looking for an anticipating hidden costs. Um, you know, you certainly want to, whenever you do an acquisition, you want to budget for, you know, invisible risk. Um, you know, if you have all of a sudden immediate infrastructure upgrades that you need to do or, uh, expired support recertification efforts that, you know, that may not have been, you know, kind of immediately, uh, visible in the, you know, kind of earlier phases of the due diligence, those are all, you know, elements for, you know, kind of best practices for, for the listeners, if you will.
Finally, what should listeners do if they spot any major red flags?
I mean, if you’re doing a quality job of the due diligence, then, you know, you very well may discover some compliance issues that, you know, that weren’t appropriately disclosed. It wouldn’t be unheard of to, you know, to find out that, you know, the target company doesn’t have a third party assessment or they don’t even put themselves up against a compliance standard or they’re doing self-assessments that they haven’t done recent security testing. Maybe they have done some testing, but they’ve still got open or open or troubling, you know, findings that came up during, you know, any prior security testing or risk assessment. So, you know, should that be, holy crap, let’s just back out? Well, not necessarily, you know, but you definitely want to lean on that expert that you’ve got to give you a notion of how big or small of a deal is this going to be. You know, getting their objective third-party opinion on it and doing a thorough review before you’re moving forward, all of those are going to work, kind of work in your favor. You know, you want to definitely, you know, you definitely want to, you know, want to work it through to where you’ve accounted for, you know, dollars in the deal to be able to be appropriate, right? You know, if initially we’re talking about a certain figure, but then we go in and start doing the due diligence and find out that, you know, the numbers at a high level meant that, you know, this was the, you know, this was the acquisition price. But if I now know that, you know, after I’ve done the digging, done the due diligence, etc., you know, it very well could play into the, you know, the purchase price because the fact that the acquiring organization is going to have to plug a number of holes, etc., it’s a hell of a lot better off to, you know, have a reasonable dialogue with the, you know, with the company getting acquired, you know, kind of upfront and openly about what are the things that we’re really going to need to go in and do, you know, and have that accounted for in the acquisition cost, you know, then that’s going to be a much better position to be in. You know, if you’re just getting a bad vibe, you know, bad vibe from the review or something doesn’t feel right, etc., you know, then again, just start digging, start digging deeper. You know, a lot of people will, I’ve seen a lot of due diligence processes that are kind of, I don’t know, I almost call them more check the box, right? Get this, get this, get this and get that. And as long as you, you know, you get them and, you know, they don’t immediately blow up in your hand, then, you know, then you go and throw it on the shelf and keep moving. But, you know, just trust your gut as you’re, as you’re going through that process. That’s for sure.
Partying shots and thoughts for the folks this week out.
Well, for anybody walking into this kind of acquisition arena, it is, um, it is definitely an exciting, uh, an exciting space and whatnot, but I can’t underscore enough, um, you know, I’ve seen too many of the due diligence exercises, uh, unfold where the, the acquiring organization, you know, they’re really good at, you know, they’re really good at the business stuff or they’re really good at, um, you know, the financials end of it. They’re, you know, they’re really good with being able to, you know, look into the background of the core of the corporate entity, uh, to see if they’ve got any, you know, kind of big, ugly, buglies, you know, hanging out there lawsuits and blah, blah, blah, you know, they’re really good at all that stuff, but the, the, the security and compliance arena is one that either is just brushed over as a, yeah, yeah, yeah, we’ll figure it out. Um, you know, or almost, uh, you know, kind of an afterthought for the, you know, for these companies, I would really strongly encourage them to, you know, step up your game, um, you know, take it seriously. Um, because that, that one that I was telling you about earlier, um, you know, it was a real surprise to them to, to, to learn just how much needed to be done, how much wasn’t in place, how much wasn’t getting handled properly. So, uh, it really took them by surprise and you definitely, uh, you definitely don’t want to be in that position. There’s no real reason to be. So take, uh, take the responsibilities through the, you know, the due diligence process for security and compliance super seriously, and it will, it’ll end up paying dividends, um, you know, as you, as you go through your acquisitions.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
