Companies still finding cybersecurity problems following M&A purchases, says report
Companies still finding cybersecurity problems following M&A purchases, says report

Fifty-eight percent out of 100 senior health care executives whose companies were involved in a recent merger or acquisition said in a new survey that their particular organization uncovered a cybersecurity problem with its newly annexed business after the deal was already consummated.

Management consulting company West Monroe Partners last week released the survey results as part of its "Reshaping Healthcare M&A" report, in which 49 out of 100 executives also said that they were were dissatisfied with their specific company's cybersecurity due diligence efforts leading up to its acquisition.

The report contends that cybersecurity continues to be a prevalent issue surrounding mergers and acquisitions at a time when such business dealings are becoming more frequent in occurrence. Citing data from research partner Mergermarket, West Monroe notes that there were 579 M&A dealers in the health care sector in 2017 -- the second highest total on record.

Brad Haller, a director in West Monroe Partners' M&A practice who specializes in health care, said in the report that “Security problems of healthcare businesses are commonplace... But spotting issues takes time and system access – it can't be effectively done through basic penetration testing alone.” 

According to the report, the most common cyber concerns that executives experience when targeting companies for acquisition are a lack of personnel with deep knowledge of cybersecurity issues (54 percent of respondents cited this issue), vulnerability to insider breaches (48 percent), and a dearth of robust cyber policies and procedures (36 percent).

West Monroe notes that significant cybersecurity challenges emerge in the event of a roll-up merger, when an investor such as a private equity firm buys multiple companies within same market space -- each with its own IT systems and practices -- and consolidates them into one entity.

“Without question, the biggest issue we see in provider roll-ups is security, whether that's safeguarding protected health information (PHI) or credit card data,” said Haller. “All these clinics have some ability to accept payment for copays, but they don't all have a good sense of what they're supposed to be doing to protect both types of data."

Last June, West Monroe revealed in its "Software M&A Frenzy" report that 52 out of 100 senior global executives said that their company inherited cybersecurity problems after acquiring a software company.