Mega-Mergers: The Security, Privacy ConcernsExperts Outline the Risks That Must Be Addressed
Mergers and acquisitions, such as two pending mega-deals in the health insurance sector, pose security and privacy risks that need to be addressed before the transactions are completed, during the integration process and over the long haul.
In recent weeks, Anthem Inc. announced plans to buy rival Cigna for $48 billion, and Aetna unveiled a proposed $37 billion purchase of Humana.
"I can't speak specifically to these mergers, but in general they share the same challenges as others going through M&As," says Mac McMillan, CEO of the security consulting firm CynergisTek. Interoperability of systems, consolidation or merging of databases, differing architectures, disparate platforms, consolidation of accounts and accesses conversion of users are among the potential hurdles these companies face, he notes.
"For organizations this large, there is nothing trivial about integrating their networks, systems or controls," McMillan says. "The biggest issues are always disparate systems, controls and interoperability and the privacy and security issues those challenges can create."
When it comes to mergers, privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group notes, "I'm most worried about companies not doing enough diligence about security when these acquisitions are being considered. ... It's becoming increasingly complex to integrate two companies IT infrastructures, and those transitions create new vulnerabilities."
Concerning Anthem's proposed purchase of Cigna, Wu says Anthem's recent hacker attack, which affected nearly 80 million individuals, "shouldn't be downplayed, but I'd be more concerned about Cigna and whether that company also potentially had a breach that perhaps hasn't been discovered yet."
Privacy attorney Kirk Nahra of the law firm Wiley Rein LLP notes that the transition period after two companies merge presents new risks. "Because of the tremendous concerns about data security and cybersecurity breaches, integration of overall security is a particular challenge," he says. "It is easier to attack a hybrid, half-integrated company than two separate companies."
Anthem's proposed acquisition of Cigna comes "at a time where Anthem is under a lot of pressure with respect to its information security, [and] the acquisition of another large insurer represents a lot more to add to its plate," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"It will need to integrate its information security processes into a host of new systems, with each new, potentially unfamiliar system bringing new risks if not properly integrated," he says.
When mergers and acquisition are completed, a big challenge is picking and choosing whose information security program will dominate after the transaction is completed.
"Often times, the information security program of the larger entity takes over the smaller," Greene notes. "In good situations, each entity learns from the other and the overall information security is improved, after a painful integration process. But sometimes the reverse happens, and good information security practices are abandoned because they are not practiced by the larger entity."
McMillan says merging organizations should "take an inventory of which set of controls, processes, technologies, etc. are either the most mature or the best overall." Then they can consider merging the programs, "the same way they merge organizations - capitalizing on the best of both."
While that best-of-breed-themed approach might work well in some mergers and acquisitions, typically things don't end up going that smoothly, Nahra contends.
"There are two kinds of challenges - inconsistencies in practices, either involving data security or privacy, and then operational implications of these inconsistencies, where one of the entities tries to apply its process or practices to the differing practices or operations of the other," Nahra says. "These challenges are exacerbated when there hasn't been a lot of due diligence on privacy/data security issues."
One issue that's frequently overlooked during the blending IT networks of merging companies is access control, says Rebecca Herold, partner and co-founder of SIMBUS Security and Privacy Services.
When an organization is undergoing a merger, some employees typically lose their jobs because their role duplicates another's role, Herold says. "But the company keeps them on for a certain amount of time because they are training another person or finishing up on a project," she says. "However, during this time, I've seen disgruntled insiders who have access to information or administrative controls and have tried to sabotage the company that fired them."
Often executives don't have insight into all the risks that are involved with blending computer networks, says Herold, who's served as an adviser to merged organizations.
"They want to join or connect the networks in some way, but there are huge risks. When you start connecting one huge network with another one, and start sharing data without proper planning, there are new vulnerabilities and risks that emerge," she says.
If the companies involved in the latest wave of healthcare sector mergers and acquisitions get the regulatory and shareholder approval needed to complete their transactions, they need to keep a few security tips in mind, McMillan says.
"The biggest tip is common sense: Don't undo anything that is currently in place to ensure continuity until what's new is in place and backed up," he says.