Mergers & Acquisitions: Necessity of Cyber Diligence
In June of 2019, Quest Diagnostics revealed they had experienced a major data breach that exposed medical records of almost 12 million people worldwide. As one of the largest clinical laboratory testing operations in the world (with locations in the United Kingdom, India, Brazil, and Mexico), the medical testing firm announced that a third-party billing contractor, American Medical Collection Agency (AMCA), was the main point of access for an unauthorized user to access sensitive patient data and information. This raises the question: What cyber diligence was assessed for AMCA, and how is it possible that the entire supply chain was affected?
The major data breach is underscored by the shortfall of proper cyber diligence from the Fortune 500 healthcare agency. With such a complex supply chain of information and data point entries, Quest Diagnostics failed to understand the wider governance needed to ensure adequate security measures needed to keep this data safe.
What is Cyber Diligence?
Cyber diligence describes an organization’s ability to properly audit the incoming cyber security posture for a company undergoing the merger & acquisition phase. It helps information security professionals have a deeper understanding of what data is collected, stored, and accessed over a period of time for a business. Under proper cyber diligence, a parent company can claim reasonable judgement that a business has mitigated cyber risks that face the the particular firm or industry.
Industries (such as the healthcare sector) that collect and store highly sensitive information are more likely to experience cyber threats such as business email compromise and phishing attacks. Businesses that store personally identifiable information (also known as PII) data are accounted for 97% of all data breaches in 2018 according to a ForgeRock study. Consequently, more quality resources are being released to help these targeted healthcare providers, such as the Health and Human Services HICP.
What is the impact of poor cyber diligence after the merger & acquisition occurs?
As seen in the Quest Diagnostics data breach, the repercussions of inadequate cyber diligence can be dangerous for an enterprise. Not only can the damage have long-term consequences on the brand loyalty of the firm, the financial impact of incoming class-action lawsuits and restitution can run deep. Only until a full digital forensic analysis has been completed can the full scope of the breach be understood. In the legal space, businesses who do not perform cyber diligence are introducing factors and variables that would make even a seasoned attorney’s head spin!
Solutions For Better Cyber Diligence
Assessing The Security Framework
Businesses looking to acquire new properties & brands need to fully examine the security framework including all current efforts taken to keep data secured. Determining which previous steps the organization took to improve their cyber security and protect can help showcase the company’s ability (or inability) to protect against outside threats. The cyber security framework must be strong and dynamic that fully protects the data from each entry point. Also take into consideration the quality and extent of the most recent employee training sessions on data security.
Limit Access Management Controls
A majorly overlooked key variable of cyber diligence is to deeply evaluate the Privilege Access Management (PAM) for the company and which users have permissions via access to the data. As companies develop, they have a long list of current and previous users who might still have their credentials and access to important company data. Ensure that your cyber diligence plan includes an assessment of these access privileges and the history of logs in which business information was accessed. Businesses that have many different levels of access for sensitive data need to be controlled according to the new parent company.
Promoting Ongoing Cyber Diligence
As part of a mergers & acquisitions agreement, third-party vendors and auxiliary companies need to be consistently monitored and supervised to ensure they are following the cyber security policies & procedures put in place by the parent company. Cyber crime continues to develop and expand, and threat actors are always finding new attack vectors and vulnerabilities to gain entry into even the most protected systems and databases. As a result, the cyber governance of an enterprise needs to react and adapt to current trends in cyber security, and reflect these changes along to their business properties. Adhering to growing local, state, and federal data privacy requirements will be another challenge that require attention from all parties involved.
Sign up for the Proven Data Newsletter to get the latest news, updates, and content from our team & partners!
 Quest Diagnostics Statement on the AMCA Data Security Incident, June 3 2019, http://newsroom.questdiagnostics.com/AMCADataSecurityIncident
 How to protect your customers’ personal identifiable information, https://www.techrepublic.com/article/how-to-protect-your-customers-personal-identifiable-information/