In this episode of The Risk Perspective, we bring in Merger and Acquisition (M&A) gurus; Marti Arvin (Executive Advisor at CynergisTek)and Michael Loria (EVP at Brightcove, and former VP of Business Development for the IBM Security Division). Together, they discuss security and privacy considerations when it comes to mergers and acquisitions. Who should be involved, and when? What can the Tech field, teach healthcare? And How can third Parties help? Answers to these questions and more can be found in this easy to listen episode. Remember to tune in next week for Part 2, where we will dissect the compliance side of M&A.
Subscribe to CTEK Voices: The Risk Perspective
Hello, and welcome back to the risk perspective. I’m your host, Lauren Frickle.
In today’s episode, we’ll be discussing privacy and security within the world of mergers and acquisitions. To complement this topic. We have two very qualified guests.
We have Marti Arvin, Executive Advisor at CynergisTek, and Michael Loria, EVP of Corporate Development at Brightcove.
Hi, Marti, hi, Michael. Welcome to The Risk Perspective. If you will, please start us off with a quick introduction.
Good morning or afternoon, depending on where you’re listening from. This is Marti Arvin. As Lauren mentioned, I’m an executive advisor with CynergisTek, and prior to joining CynergisTek, I spent 18 years in house in healthcare, and working as a Chief Compliance Officer was involved in mergers and acquisitions for my organizations and helping support their due diligence process. So, I’ll provide some insight on that as we go forward. Michael?
You bet. Hello, I’m Michael Loria. I am the VP of Corporate Development and strategy at Brightcove, which is the leading online video platform, and is we have all learned in the last few months. Video is vital to engagement and collaboration.
Prior to that, I was a founding member and the Head of Corporate Development for the IBM Security Business Unit. So, we were both a security company, and a very acquisitive company.
And I’m also honored right now to currently be serving on the Board of Directors for CynergisTek.
Great, with that, let’s get started and dive into the episode.
Michael, you’ve been very involved in mergers and acquisitions. And I’m just curious, from your perspective, what are some of the general questions, when you look at, particularly privacy and security issues on due diligence, that organizations should be asking, or should be looking at?
Yeah. You bet Marti and, you know, I think the context of security and privacy have become significant considerations in M&A before, you know, historically they were always something that the IT team looked into. And now it is actually a business level concern.
And, on one hand, it’s really understanding the policies and procedures of the company, but also, understanding how they practice that at the target company. You know, no one wants to buy risk exposure. So, really understanding, not only what the company says, but then how are they actually implementing it, doing it, and then, you know, additionally, you know, how pervasive security is across the company and the element, it plays in, really, all aspects of managing customer data finance. It’s really become a very broad topic in mergers and acquisitions across all the business functions.
You’re absolutely right, Michael. And in my experience, I’ve seen that same evolution, where, you know, 15 years ago, when acquisitions were occurring, people didn’t really focus on privacy or information security But now, we have the, you know, much stronger focus on that, but as you think about this, what are some of the types of due diligence processes that companies either do typically do or should typically do?
Yeah, you know, I tend to put, um, diligence around security in kind of three big buckets.
One is just, you know, typical due diligence of the policies, practices, you know, what do they have recorded? Do they have stated policies? You know, what is the operational considerations they have around security? And you know, how diligent are they on an ongoing basis?
And then you know really looking at do they have defined statements about risk posture and how responsive are they when it comes to security considerations. Then you look at, well, what can you actually test and, and security is one of those things that during diligence you can go beyond simply advising, you know, reviewing their policies and asking questions. You can actually go and do things like code scan for vulnerabilities, pen-testing of their key business applications, and really asked to try to validate, are they implementing what they say they do?
And then the third area is really risk audits by third parties. It’s, it’s a great way to bring in external expertise to also help in this area. So, I think there’s a lot of things that can be done around security, that, because, it actually can be tested and validated above, and beyond just, you know, looking at the documents, and, looking at the policies and procedures they have. And, it needs to go well, beyond just interviewing the CISO to actual inspection.
I think, the types of diligence, the good hygiene things, the virtual data rooms allow you to track and make sure that people are doing a good job, that they’re looking at all the documents that diligence is thorough. But the thing I really have tried to stress around security and privacy is really validating, what you’re being told, or what you’re reading during the process. And that, that is doable. And whether you can do it as an organization, or you could bring in a third party to do it for you. Really encourage companies to validate what they’re hearing and learning.
And, Michael, when you mentioned in your introduction, your background, it sounds like you’ve had a little bit more of a focus in security companies, and, and outside of the healthcare industry, and, in my experience, there’s usually been some resistance in healthcare.
I haven’t had experience in other industries, but in healthcare, there’s been some resistance to allowing some of that kind of testing. And that that validation that you, just described.
So, are there things in particular, that you think that the healthcare industry can learn from the tech industry as it relates to this?
Yeah, I think, I think when you look at tech acquisitions, for instance, Marti. You know you’re buying intellectual property. You’re buying code. You’re buying the actual applications and procedures that the company owns and has invented that that’s a mandatory part of the process. And, it is very common in tech to do pen tests, and audit tests, and it goes beyond the product. You’re actually looking at the business.
And I think the that is actually been relatively new in the tech segment, as well, to think about looking at, how they manage customer data, you know, how they protect their own internal property, you know, data, and processes, and financial reports and financial statements, but you need to test those things as well. And so, I always appreciate that there is reluctance. But these are all things that obviously you want to learn before you do a wire transfer of money.
So, it really goes to what your risk tolerance is, and it is important to you and you have a, concern about risk and acquiring additional risk.
I think you need to insist on it as part of the diligence process going forward. It’s as important of a consideration is virtually any of the other aspects of the deal, including, price.
And I agree with everything you’ve said. I think the one thing I would caveat to folks, when you’re talking about a healthcare acquisition and you run into some of, that, resistance, is being cognizant of doing those types of pen testing and vulnerability testing in the healthcare arena and environment. And really recognizing that, there might be resistance because you’re talking about going into a network that has medical equipment attached to it, and talking through with the company that you’re looking to acquire, there are definitely ways that those types of things can be done, but, you know, talking through with them and helping understand their concerns, and, and recognizing that, and either, if you’ve got the expertise or you mentioned Michael using third parties. A lot of third parties (CynergisTek is one of them) has the expertise to go into healthcare and do that type of assessment on that type of a network, recognizing the conditions that are a little bit unique to healthcare, that you might not run across in some other industries.
So, it’s don’t just take that pushback that says, we don’t really want to do this, because, you know, we have all these devices connected, that our equipment that patients are hooked up to, and we can’t do that because of those reasons. That’s really just not true. There are ways to do it, but it is a legitimate concern that they might raise, and you should be aware of, but don’t just accept that. There are definitely things you can still do, even in that kind of an environment.
You know, one of the things that that folks have been curious about is just thinking through, how do you help ensure that the, the issues around the transactions themselves aren’t leaked?
How do you set up the processes for privacy and security? And not thinking about the due diligence of looking at the party you’re acquiring, but how do you ensure that privacy and security, around just the discussions and conversation and transactions?
So, do you have any thoughts on how you help prevent leakage of the transaction itself?
I’m sure you have some great points here, as well Marti.
You know, and I don’t mean to make light of it, but usually reminding the team that, wearing orange is probably not a fitting color for many people.
And that often, you know, this is pretty vital information that’s being shared with them.
We often would start off with a kickoff process and that Marti, is one of the single most important things we stress. Not only the potential damage to the, you know, our company, but the potential damage to the target company. And, that, you know, first of all, making sure that people are really aware of the fact that virtually every aspect of the discussion, even that the discussion is taking place, is highly confidential and needs to be treated as such.
You know, there’s typical processes that I know a lot of companies run. They have employees sign an additional NDA, which really does allow you to stress to the employees the significance of the process that they’re going through.
But I also find that one of the most important parts of this is really two things here.
Keeping the people engaged in the process on a need to know basis. Often, everybody wants to participate, Acquisitions are fun, they’re complex, you meet a lot of new people it’s an interesting process to go through.
But you often should be asking yourself, before you disclose anyone and bring them into the process that they are really needed. They’re not there just because it’s a good learning experience or we might need them. They really should be there if we need them to complete the transaction.
Secondarily, the question should be, when do they need to know, when do you engage them?
It doesn’t make sense day, one to bring in the entire diligence team, disclose everyone, and, and start the process for everybody at the same time, upfront bringing people in to the point in the process when they’re needed, and this is a tough one, and Marti, I’d love to hear your feedback on this, because you know, during an acquisition, you’re trying to build consensus, you’re trying to get your side of the equation, all excited about what’s going to happen, you’re building integration plans.
So, everything about sort of limiting the number of people seems counter-intuitive. You want to bring a lot of people in and gather alignment. But yet, this this issue around leakage is so important, that that I think it counterweights the need to do a broad disclosure, and then of course, secure treatment of all materials.
And, you know, with data rooms and the like, there are wonderful tools. You know, they track access, they track who’s downloading documents, all those types of things are Watermark documents. So, using things like virtual data rooms is also very helpful in the process.
I think all that’s great points. And I analogize this, you know, being an attorney by training to really setting up structures for attorney-client privilege. And it’s a very analogous when you think about that, if you’re trying to maintain attorney, client privilege, you want to make sure to your point, everybody involved really is on a need to know basis.
And one person may not have a need to know at the beginning of the transaction and discussion, but they may become relevant a month in and so then you bring them into the process and don’t assume that everybody you had involved in the last Merger Acquisition transaction needs to be involved in the one you have currently. They may or may not, depending on the nature of the acquisition.
So, it’s really a thoughtful process. And the only thing I think I’d add to what you said Michael, is, it kind of ties into it, but I think it needs to be explicitly stated, constant reminders to everyone that this is a need to know basis, and they shouldn’t be sharing it. And that, if they have any questions, who’s the lead person to go to, for them to ask, should I be telling this person anything about this transaction?
And, you know, it’s, it’s, ask before you share if there’s any question at all, so that you do keep it on that, need to know basis. And then that continual constant reminder to people to make sure they’re only sharing information they’re supposed to be sharing with the people they’re supposed to be sharing it with.
Now, we’ve touched on this a little bit, and so I think I probably have a good sense of what your response is going to be.
One of the things that I did as a compliance officer is, try to engage my leadership so they brought me into conversations, but I also would bring myself in if I heard about it through the grapevine and nobody had brought it up to me before.
So, what are your thoughts on the engagement of the CISO, the Chief Privacy Officer, folks in those types of roles about weighing in during the process of a merger or acquisition transaction?
Should they be involved, period, or should they only be involved if they have privacy or security concerns?
I love hearing that you would, you would assert yourself in that process, I think that’s wonderful.
Back to the point where you’re just having. First of all, everybody involved in a due diligence should have a voice, right?
So, you shouldn’t be bringing in people into a diligence process if you don’t want to hear their feedback. And, then, in that context, why would you not want to hear about security and privacy concerns of a company you’re about to spend, hard earned capital to acquire?
So, so, I think, you know, it is very important.
It is, for many public companies, it’s, it’s mandatory, doing security, audits, privacy audits, as part of the acquisition process, is only a good business decision to do, and, therefore, I’m thrilled to hear that you force your way. And I’m sorry to hear you, had to, I think, you know, that, that it’s a very vital role.
And, and, you know, during diligence you, you’re trying to validate a business case, You’re trying to audit in the business and confirm that the data provided is accurate, and you’re starting the integration process, and you want to understand what issues exist in the business.
And people need to constantly be reminded that finding issues is great. That’s exactly what you want to do during due diligence. And finding an issue is not a bad thing. Because then simply, you need to ask yourself, what can we do to mitigate this from a process perspective? Do we need to mitigate it with investment? Or is this a showstopper? Is this something so egregiously wrong that we should actually walk away from the deal? Those are all things that are wonderful to find before you wire transfer money to a potential acquirer’s target company.
So it is, I think it’s very important. And, and I would, you know, certainly encourage anyone leading a diligence team to make sure that security and privacy concerns are both looked at and aired and part of the diligence report.
These are not simple problems do to mitigate often after the fact.
And, I think that is absolutely spot on.
And I think the only other thing I can add to your comments on that are: you need to think about the perspectives that people bring to the table.
It’s not that other leadership members that are involved in the process won’t think about privacy and security, but that is not their day-to-day area of focus. And, so, they might raise an issue that would flag a security, or privacy concern for people that are involved in those roles that might not boil up to the top as a security issue when the person who’s focused on finance or business operations thinks about it and discusses it.
So, having those different perspectives can help you identify those issues, and then as you pointed out, Michael, once you identify them, then that gives you the opportunity to figure out how you’re going to handle them.
Are you going to mitigate the issue? Are you going to just say this is, this is a deal breaker and we’re going to call the deal off? But you want to find it during due diligence.
As you said, uncovering things is the important thing that gives your leadership the opportunity to make an informed decision before that wire transfer occurs and before they sign on the dotted line.
And that was always something I felt, was my role. I don’t, didn’t always agree with decisions my leadership made, I was less risk-tolerant than they perhaps were. But I feel confident they made an informed decision, and they knew the level of risk they were taking on if they were doing something that that I in a more conservative stance would not have been comfortable with, and I think that’s the end goal here, is we’re making an informed decision about the purchase of this, this company that we’re trying to acquire. And maybe that informed decision is to say we are no longer interested in acquiring them.
Now, we did talk a bit about third parties, and I just want to touch on, you know, Michael mentioned, you might bring third parties in to do some of the different things as part of the due diligence process.
I think it’s important to recognize that you need to understand whether you’ve got the expertise to do some of these things, and if you don’t have the expertise, or if it’s going to be more time consuming for you to do it than bringing somebody in with that expertise, that is a good time to bring in third parties that can handle this and do it on a routine basis.
The pen testing is a good example of, you know, there are companies out there CynergisTek, as I said, is one of them, that we do pen testing in health care environments all the time. So those times, I think, you want to look at third parties, is, when is it more cost-effective for them to do whatever the activity is, or, when is it that you don’t have that expertise, and you really need to bring a third party and for that. Michael, is there anything you have to add to that?
Yeah, certainly your comment from earlier to the best practices. Like how do you deal, for instance, in healthcare? You know, the concerns around networks being used for production and yet still trying to do diligence. Third parties often have dealt with that problem a number of times.
I would also add the availability of resources. Security. People are pretty busy. Most companies, they build their diligence team with internal resources, and these tend to be pretty busy people so finding people with enough expertise and time on their hands to help in the diligence process is often difficult. Third parties can do that. And then also just credibility.
You know, being able to validate for senior management, or in the case of public shareholders, that people with expertise in this field performed this part of diligence is often re-assuring and, in many cases, fiscally responsible to do.
So, I think there are a lot of valuable reasons to bring in third parties, especially in an expertise, or driven areas, like security, privacy, compliance.
Well, Michael, thank you, I’ve enjoyed having this conversation with you. I know this is probably a topic we could both talk on for a much longer time, but I hope folks have found this very meaningful and provided them some insight on things to consider on privacy and security when it comes to mergers and acquisitions. Lauren?
That was some great information from both of you. Thank you, again, Michael, and Marti for sharing your expertise.
And thank you to our listeners for listening and remember to subscribe and/or like The Risk Perspective.