Revealing Risk: Cybersecurity Due Diligence
December 18, 2024
Revealing Risk: Cybersecurity Due Diligence
The rapid evolution of technology has transformed the healthcare industry, but with it comes new and complex challenges, particularly in the realm of cybersecurity. As the number of connected medical devices and digital health records continues to grow, so too does the risk of cyberattacks.
Watch the replay of Paul Rothermel, Senior Attorney at Gardner Law's presentation at our recent CLE program in Boston to gain deeper insights into cybersecurity due diligence.
For companies involved in mergers and acquisitions (M&A) within the life sciences industry, understanding and mitigating these risks is paramount.
The Evolving Threat Landscape
Cybersecurity threats are becoming increasingly sophisticated and targeted. Recent high-profile breaches in the healthcare sector underscore the severity of the issue. Companies in the medical device sector like Zoll Medical (March 2023), LivaNova (October 2023), and Henry Schein (September 2023), have each faced significant financial and reputational damage due to recent cyberattacks. Additionally, vulnerabilities in medical devices can lead to patient risk, recalls, customer notifications, regulatory actions, among other impacts. Average direct costs of health care breach topped $9 million in 2024.
The Impact on M&A
Cybersecurity concerns have a direct impact on M&A transactions. Potential buyers must carefully evaluate the cybersecurity posture of target companies to avoid unforeseen risks and liabilities. Key considerations include:
- Valuation: A target’s cybersecurity failures can significantly impact its valuation. Lacking security controls may lead to undetected data breaches, only emerging near close or even post-close.
- Remediation Costs: Identifying and addressing vulnerabilities can be costly for the buyer, especially where cybersecurity gaps overlap with compliance concerns.
- Integration Risks: Integrating systems from different companies can introduce new security risks if not managed carefully, particularly as recent evidence indicates criminals target transitioning companies more aggressively.
- Regulatory Compliance: Non-compliance with cybersecurity regulations can also lead to hefty fines and legal repercussions.
Tips for Effective Cybersecurity Diligence
To mitigate these risks, companies should conduct appropriate cybersecurity due diligence, including:
- Understand Risks: High potential costs, business interruption, reputational damage, litigation risk, class actions, cost of remediation and breach response, harm to patients/other stakeholders.
- Regulatory Framework: Many regulators addressing cybersecurity matters, including Federal Trade Commission, state attorneys general, HHS Office of Inspector General, Department of Justice, Securities Exchange Commission, Food & Drug Administration, among others.
- Anticipate Exploited Gaps: Assume cybersecurity vulnerabilities identified in diligence may be exploited and structure the deal, and remediation plans, accordingly. No breach does not mean no risk – a breach may be simply undiscovered due to lack of effective controls.
- Target Risk Profile: Identify critical systems and data and evaluate risk profile for the target. Consider the business model of the target. For example, manufacturers offering cloud-hosting of patient data integrated with electronic health record systems or operation of a product reimbursement support program maintaining significant patient information may increase risks.
- Multi-Disciplinary Approach: Legal, CISO, IT, data/system architecture, engineering should each be involved in diligence.
The Role of Legal Counsel
Legal counsel plays a critical role in reducing cybersecurity and privacy risk in M&A transactions by providing guidance and supporting diligence efforts. Attorneys can help:
- Identify potential cybersecurity risks and liabilities, including target risk profiles.
- Draft and negotiate contracts that allocate cybersecurity responsibilities
- Evaluate third-party relationships and contracts for cybersecurity liabilities.
- Review and advise on cybersecurity due diligence reports.
- Assist with regulatory compliance assessment.
As Paul Rothermel, Senior Attorney at Gardner Law states, “In due diligence, data breaches are the tip of the iceberg. Cybersecurity continues to be a significant risk and require appropriate investment, both in data protection and product safety. Buyers should look for vulnerabilities and anticipate that any gaps could be exploited - take a risk-based approach and deploy the right experts. Target companies should prepare for elevated scrutiny of their cybersecurity practices and get their house in order early.”
By carefully considering these factors and working with experienced legal counsel and appropriate experts, both buyers and sellers can mitigate cybersecurity risks and enhance the value of their M&A transactions.
To learn more about cybersecurity due diligence and how Gardner Law can help you navigate these complex issues, please contact us.