Technical and financial due diligence have long been a part of the review performed by an acquiring company prior to a merger or acquisition (M & A). Cyber security has finally become an important business concern, and this requires information security to also be addressed with as much importance. Without appropriate security due diligence, the acquiring company runs the risk of introducing significant business and technology risk into their organization.
One doesn’t have to look too hard to see an example where this did not occur; the Verizon acquisition of Yahoo and the TripAdvisor acquisition of Viator are two recent examples (2016 and 2014), with Viator suffering their breach only weeks after the acquisition. And at the time of the Yahoo breach, Verizon used the opportunity to express some doubt about the acquisition and to ask for more favorable terms.
It’s important to develop an M & A strategy, and data security deserves consideration in this process. Vendors that deliver services to healthcare organizations need to comply with a myriad of local, state, federal, and international privacy and security regulatory requirements. At the federal level there are sector-specific laws such as HIPAA. In addition, many states including California and Massachusetts have data security regulations that require organizations to develop, implement, and maintain reasonable information security programs. There are many key security and privacy considerations for buyers to consider when exploring an M & A opportunity. These include the following.
Data Security safeguards, policies and procedures
Are the policies adequate to comply with applicable regulatory environments? Understanding and evaluating a company’s risk profile requires thoughtful analysis of the policies and practices regarding data collection, use, disclosure, transmission, storage and destruction. Does the company have a comprehensive information security program including appropriate policies and procedures? How does the company educate and train workforce members and third-party vendors with access to data? Do they have an appropriate data protection framework that classifies information assets? Do they have appropriate access control policies and procedures to reduce the risk of inappropriate access to information assets? What is their data retention policy? Do they have a vendor management program in place? Do they have appropriate contractual protections in place with their vendors? Do they have someone focused on information security such as a Chief Information Security Officer(CISO)?
Are the controls implemented by the company adequate and appropriate for the industry in which they do business? While HIPAA and/or HITRUST have numerous physical, administrative and technical control requirements, how a company addresses and implements these controls differ across organizations. Have they conducted any third-party audits or maintain certifications such as HITRUST or a SOC 2? Do they have disaster recovery and business continuity plans? Do they perform vulnerability assessments and penetration tests? Do they perform security testing on their mobile app? Do they have an incident response plan, and do they test it regularly? Have they experienced any data breaches or security incidents? Do they perform appropriate background and security checks on new workforce members? Do they have policies and guidance on how data and systems are physically secured? Do they have appropriate solutions in place to know if they are experiencing an attack? Do they maintain appropriate endpoint controls to prevent compromise?
In addition, do they maintain a current data map or inventory? It’s critical to understand where data is stored, who can access it, and whether it is secured appropriately as part of an overall information governance program.
While security due diligence may show gaps in security posture, it doesn’t mean that the deal will fall through; rather, it will mean that the acquiring company knows what they are getting and then are able to appropriately price the deal taking into account both value of the acquisition, and cost to remediate security deficiencies.
This article was originally a contribution to the Datica blog