Mergers and
acquisitions, such as two pending mega-deals in the health insurance sector,
pose security and privacy risks that need to be addressed before the
transactions are completed, during the integration process and over the long
haul.
In recent
weeks, Anthem Inc. announced plans to buy rival Cigna for $48
billion, and Aetna unveiled a proposed $37 billion purchase of Humana.
Interoperability
of systems, consolidation or merging of databases, differing architectures,
disparate platforms, consolidation of accounts and accesses conversion of users
are among the potential hurdles these companies face. For organizations this large, there is
nothing trivial about integrating their networks, systems or controls. The
biggest issues are always disparate systems, controls and interoperability and
the privacy and security issues those challenges can create.
The
transition period after two companies merge presents new risks. Because of the
tremendous concerns about data security and cybersecurity breaches, integration
of overall security is a particular challenge. It is easier to attack a hybrid,
half-integrated company than two separate companies.
Anthem's
proposed acquisition of Cigna comes at a time where Anthem is under a lot of
pressure with respect to its information security and the acquisition of
another large insurer represents a lot more to add to its plate. It will need to integrate its information
security processes into a host of new systems, with each new, potentially
unfamiliar system bringing new risks if not properly integrated. When mergers and acquisition are completed, a
big challenge is picking and choosing whose information security
program will dominate after the transaction is completed.
Often times,
the information security program of the larger entity takes over the smaller.
In good situations, each entity learns from the other and the overall
information security is improved, after a painful integration process. But
sometimes the reverse happens, and good information security practices are
abandoned because they are not practiced by the larger entity.
While that
best-of-breed-themed approach might work well in some mergers and acquisitions,
typically things don't end up going that smoothly. There are two kinds of challenges -
inconsistencies in practices, either involving data security or privacy, and
then operational implications of these inconsistencies, where one of the
entities tries to apply its process or practices to the differing practices or
operations of the other. These challenges are exacerbated when there hasn't
been a lot of due diligence on privacy/data security issues.
When you
start connecting one huge network with another one, and start sharing data
without proper planning, there are new vulnerabilities and risks that emerge. If the companies involved in the latest wave
of healthcare sector mergers and acquisitions get the regulatory and
shareholder approval needed to complete their transactions, they need to keep a
few security tips in mind. The biggest
tip is common sense: Don't undo anything that is currently in place to ensure
continuity until what's new is in place and backed up.
No comments:
Post a Comment