Brian Wilson
Appearances
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
one kind of approaches and monitoring, endpoint monitoring, network monitoring. So if a threat actor tries to undertake a phishing campaign, those things can be identified and stopped quickly. Same thing with ransomware. I've had multiple cases in the last 12 months where,
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Ransomware started because somebody did something they shouldn't and the ransomware was locking up an asset, but it got stopped in its tracks because the organization had segmented its network appropriately, had the right internal safeguards to really contain it quickly.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
The problem is if you're looking at downstream your third parties who don't have the same size, scope, and scale, or they haven't made that same investment, a good example is they're not maintaining the most current operating system on their assets. So there's some vulnerabilities that potentially haven't been patched on their assets.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
And if those third parties are connected to an organization through EDI, APIs, other information exchange protocols, now you have a potential path into the organization that's stemming from your third parties. And I think this becomes even more relevant to your point, Scott. HIPAA has a new proposed security rule
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
which does extend to BAAs, so business associate agreements from healthcare entities, which will put a bit more teeth around if you're a BAA and you're dealing with healthcare data, there's even additional requirements now that might, you know, if they finalize the rule, because
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
But the way things are going currently, it's a proposed rule through Health and Human Services, the Office of Civil Rights. But when it actually gets finalized, we'll see. But if it gets there, it'll have real teeth.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
And the BAAs, everybody that has a BAA with a health care entity will have to go back and reevaluate that relationship and those contracts to meet the requirements of the new proposed rule for HIPAA security.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Well, that's a great question. And, you know, I kind of, I think back to the days before data breaches were commonplace and we were all getting emails about, you know, kind of monitoring services because our data has been exfiltrated and is available for sale on the dark web.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
100%. And one of the most critical aspects of your third-party risk program would be audit. You have an audit clause in your contract, use it. Go out there and make sure you understand what they're doing and how they're doing it and if they've had an incident and how they responded.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
100%.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
So I think you kind of got to go back a little bit in time and think about what traditionally the due diligence process was all about. And then when you kind of move forward through time and even just this year, there's some very good examples of recent data breaches that affecting millions and millions of individuals. And so what does that mean?
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
You know, if you're looking to acquire or sell a health care company on the buyer side, you know, certainly, you know, the risks that you may be assuming may not be apparent. And I think that's definitely worth exploring and understanding, really getting behind the firewall, if you will, around what kind of systems and infrastructure do they have? How is it operated? When was their last incident?
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
If they've had an incident, what's their playbook if they have one? And on the sales side of the equation, it's really you want to make sure that you're doing everything you can to support the value, right? And being a good potential partner to the acquiring entity, et cetera. And really a lot of what we would frame as cyber due diligence as part of an exercise today
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
It's really kind of basic block and tackling for cybersecurity, particularly in the healthcare space in terms of knowing what you have, having inventory and asset list and security and threat assessments and all sorts of other good stuff.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
It's stuff that should be there already, but because of the way that healthcare operates and there's a lot of moving parts and there's a lot of buying and selling and everything in between, there's gaps. There's inevitably gaps in the M&A process that you know, really needs to be looked at holistically.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Happy to do so, and thank you again for having me. Very happy to be here. Just a little bit of background about me. I've been in the consulting business for about 30 years, and having been a partner at a couple of different big four firms was exciting. lucky enough to land with BMG Health. And today I lead their cybersecurity risk and AI division.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Yeah, and it actually, it almost cuts both ways, in some ways almost equally, because whether you're a buyer or seller, the concept of having a comprehensive cybersecurity approach to your organization is super critical. I think if you're on the buyer side,
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
You know, there's some things that you should be looking for from a kind of by-site risk standpoint, like, you know, when was the last comprehensive risk assessment and what standards were they using? Was it NIST? Was it, you know, 2.0? Was it HIPAA? Was it anything else? Like, what was the standard that was used?
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Tactical assessments, third-party risk management that Chad touched on, frankly, is high on the list. A lot of even the best organizations with the most robust standards
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
cybersecurity practices and hygiene have risk through their third parties where some of these threat actors are coming in through a third party who doesn't have the same level of diligence around their program or the same investment and they find a vulnerability or a weak spot and are able to use that to enter into an entity and do some significant harm and damage.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
So by side, really understanding what is the seller, what have they been doing? What has the experience been like? What is the in-house capability versus some of their service providers who might be filling gaps? I mean, on the seller side, again, like what Chad had said, I mean, it is really about trust and confidence.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
And if you're looking to exit an organization, no, you really do want to be in a position to say, we have done recent assessments. Yeah, maybe we had an issue. And here's what that issue was. We report it out. We did a root cause analysis.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
We strengthened and hardened our system so we're better today than we were before, which would be an interesting, I think, conversation to have as a seller to a buyer. It's not our first rodeo. We know that breaches happen. We have very sensitive information and we've been through this before. And here's how we dealt with that.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
We learned from that and here's the enterprise value that came out of it in terms of system hardening, you know, really just next level threat assessment and really looking at, you know, pragmatically, where are the risks add to the organization?
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Um, you know, in terms of, you know, kind of day-to-day risk, operational risk, and of course, you know, complying with rules, regulations, et cetera, like HIPAA, for example.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
So I've got a lot of great context and insight on cybersecurity and why that's relevant in M&A transactions, particularly as it relates to healthcare entities. And really looking forward to the conversation.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
I think from a cyber due diligence perspective, you really need to look at it from where is my biggest risk coming from? So if you're an organization that has a significant reliance on third parties and third parties are very much being targeted by threat actors,
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
That is 100% a place where you should spend some time understanding what those third parties programs are, what your contracts are in terms of if you get breached through a third party, what is the liability there and the indemnifications and kind of third party risk associated with the entity. I think that's top of mind.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
I think as threat actors have evolved over the last several, we'll say decade and now with AI, Threat actors are using AI just like everybody else and they're doing it well to the point where some of the big providers of AI services are actively looking to kick them out of their offerings so that they can't continue to improve their malware and attack approaches with the use of AI.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
So, and the thing that I think most organizations need to keep in mind is, you know, a cyber criminal, a threat actor only really needs to be right, wants to get into the organization versus your in-house cybersecurity team. They got to be right all the time, right? You got to be constantly defending, looking at the risk profile and understanding where that threat may be coming from.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Again, whether it be through third parties, just touching on the AI, but again, there's, there's been an uptick in zero day attacks, which means that a off the shelf software has a vulnerability that these threat actors now have been able to identify using AI in a much shorter timeframe than they could, you know, in years gone past, they had to decompile the code and do a lot more work.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Now AI can do it for them. So there's a couple of really key takeaways here. Again, third parties is one, I think in terms of understanding the data you have and really the sensitivity and the regulatory requirements around it. Healthcare, obviously lots of PHI and PII and really sensitive information and other sectors, right?
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
There's all sorts of IP and bits and pieces, but I think that's probably the second biggest thing that if I was sitting in a a CISO's chair or CIO's chair right now, I'd really want to make sure I know where that data that is super sensitive and subject to regulation, that I've got that really being monitored heavily and locked down as best as I can.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
100%.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
I think, and Chad touched on it, most of these cyber insurers today are looking at an organization's approach to managing their own in-house risk. And so the where you can demonstrate you've done certain things to harden your systems or increase your hygiene. You can actually negotiate a better deal with the cyber insurance companies we're having. For example, multi-factor authentication.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
If you don't have it today, you're probably not even gonna get insurance. So most people now have enabled multi-factor authentication around key accounts and assets and access. But that's pretty low-hanging fruit. But you would be surprised, some of the smaller kind of organizations that haven't really had to deal with cybersecurity and threat actors before, this is all new, right?
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
And so if you're going through a deal process and you're looking at cyber insurance as part of the program, and then if you think about it from having insurance as part of the program underneath the RWI package that Chad mentioned, but also we're going to strengthen our security by enabling multi-factor authentication.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
And we're going to do something better than what we're doing today with our backups to have an offline version as well as an online. Things like that, block and tackling, those help to negotiate that kind of longer term cost of insurance. And really, I think puts everybody in a better position from a deal perspective.
Becker Private Equity & Business Podcast
The Critical Role of Cybersecurity Due Diligence in Healthcare M&A 2-25-25
Yeah, it is a prevalent one. You know, if you're looking at some of the larger organizations have been making significant investments, they're hardening their systems, they're, you know, upskilling their teams and using high quality third parties to fill in gaps. And so your, your larger organizations have fairly robust