A new report has revealed that buyers who have invested in healthcare companies have not been made aware of cybersecurity issues until after deals have been done. “Reshaping Healthcare M&A: How Competition and Technology Are Changing the Game” was published by West Monroe Partners.
In the report, it was noted that there were 579 deals for US healthcare targets in 2017. “Both up and down market, a common theme in healthcare M&A has emerged: Buyers are looking for acquisitions that can evolve and respond to the rapidly changing landscape.” The biggest challenge for acquirers, however, is the rapid rate in which technology is changing.
Of the 100 market practitioners surveyed, 49 percent said they were not happy with compliance and cybersecurity in their healthcare deals. This highlights the challenges presented by technology for the industry. 58 percent of those who bought into healthcare only learned about these issues after the deal had been completed.
But why are these issues with cybersecurity going undiscovered? According to Brad Haller, director of West Monroe Partners’ mergers-and-acquisitions practice, most targets do not allow sufficient access to discover cyber issues. Once discovered, it is already too late.
Buyers are not given access to networks for the purpose of performing scans. “Couple that with the incredibly tight turnaround requests for diligence – which is a result of the market conditions – and acquirers are basically unable to perform the right level of rigor to the diligence process. Attackers are also getting more sophisticated and evolving quicker than ever, so the tools used in yesterday’s diligence process might not work for the diligence today,” Haller said.
As a result, many healthcare investors have been disappointed with the level of cyber hygiene at companies they have acquired. There are additional causes of dissatisfaction. According to Haller, “Diligence partners can sometimes disappoint by not providing creative enough solutions to the cyber problems discovered. That is, a buyer always wants to know how a cyber problem can be addressed without throwing a ton of money at it but that’s often the advice they get.”
What’s more, Haller also reported that it is common for them to see a lot of acquirers choosing the wrong partner for diligence in cybersecurity. “for example, lawyers looking at historical breaches and past responses instead of technologists looking at how well-suited the infrastructure and tools are for the future.”