For buyers that have acquired a healthcare company, cybersecurity issues are not coming to light until after the deal is done, according to a new report, Reshaping Healthcare M&A: How Competition and Technology Are Changing the Game, published by West Monroe Partners.
The report noted there were 579 deals for US healthcare targets in 2017. "Both up and down market, a common theme in healthcare M&A has emerged: Buyers are looking for acquisitions that can evolve and respond to the rapidly changing landscape." The greatest challenge for acquirers, though, is the rapid rate of change in technology.
Of the 100 market practitioners surveyed, 49% were unhappy with the compliance and cybersecurity in their healthcare deals, which highlights the challenges technology presents for the industry. More than half (58%) of buyers learned of these issues after the deal was completed.
One reason those issues aren't discovered prior to closing the deal is that most targets don’t allow sufficient access to discover cyber issues, said Brad Haller, director in West Monroe Partners’ mergers-and-acquisitions practice.
Buyers are not granted access to networks to perform scans. "Couple that with the incredibly tight turnaround requests for diligence – which is a result of the market conditions – and acquirers are basically unable to perform the right level of rigor to the diligence process. Attackers are also getting more sophisticated and evolving quicker than ever, so the tools used in yesterday’s diligence process might not work for the diligence today," Haller said.
As a result, many acquirers are dissatisfied with their cyber-diligence, but there are additional causes of dissatisfaction. Haller said, "Diligence partners can sometimes disappoint by not providing creative enough solutions to the cyber problems discovered. That is, a buyer always wants to know how a cyber problem can be addressed without throwing a ton of money at it but that’s often the advice they get."
In addition, Haller reported that they see a lot of acquirers choosing the wrong partner for cybersecurity diligence, "for example, lawyers looking at historical breaches and past responses instead of technologists looking at how well-suited the infrastructure and tools are for the future."