June 14, 2021

Volume XI, Number 165

Advertisement

June 14, 2021

Subscribe to Latest Legal News and Analysis

Effective Management of Cybersecurity Risk in Transactional Due Diligence

According to a report by West Monroe Partners, Approximately 40% of companies engaged in corporate transactions reported finding a cybersecurity issue during post-acquisition integration of the target company.  While companies routinely conduct robust transactional due diligence to manage legal risk, many fail to adequately conduct cybersecurity due diligence. As a consequence, many companies and investors are leaving themselves vulnerable to potentially severe latent cyber risks.

Cybersecurity is especially relevant in healthcare transactions as the industry continues to be riddled with cyber-attacks.  Protenus Breach Barometer reports that healthcare has been the most targeted industry over the last few years, with 1.13 million3.15 million, and 4.4 million patient records compromised in the first three quarters of 2018, respectively, and more than half of breaches occurring due to hacking.  The cat is out of the bag.  Healthcare entities usually amass very lucrative personal data – social security numbers, demographic information, health insurance records, and prescription information – making them attractive targets for hackers.

Despite the high frequency of cyber-attacks in the industry, many healthcare entities spend only half as much to improve security protections when compared to other industries.  As a result, these companies remain vulnerable to cyber threats.  In the case of a breach, companies could face penalties from government agencies as well as class action lawsuits. Cyber risks may intensify during acquisitions, as the likelihood of a breach increases with the expansion of the overall cyber footprint.  Further, in a transaction, the target company’s vulnerabilities ultimately become an issue for the acquiring company.  Thus, if the target entity does not have adequate safeguards to protect patient records, then the acquiring company is at financial and reputational risk for those failings.

Given the potential risks, it is important that acquiring companies prioritize cybersecurity as an integral part of due diligence efforts.  An effective due diligence process should at a minimum evaluate cybersecurity preparedness and risks related to the following: 1) current state of risk assessment; 2) technical security features of business-critical information systems and network architecture; 3) implementation of policies and procedures related to information security; 4) policies and procedures related to detecting, responding to, and recovering from cyber incidents; and 5) historical indicators of legal and regulatory compliance issues related to cybersecurity.

©2021 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume IX, Number 11
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

202-861-5320
Eric Moran Employment Lawyer
Member

ERIC W. MORAN is a Member of the Firm in the Litigation & Business Disputes and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Moran:

  • Represents clients in complex commercial litigation matters, including business and banking disputes
  • Defends clients in white-collar criminal matters, and performs internal investigations for entities facing potential action by state and federal governments
  • Advises clients on anticipating, managing, and mitigating complex legal and...
212-351-4510
Brian Hedgeman, Epstein Becker Law Firm, Washington DC, Health Care Law Attorney
Law Clerk

BRIAN HEDGEMAN is a Law Clerk - Admission Pending - in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green.

202-861-1387
Advertisement
Advertisement