This is Scott Becker with the Becker Private Equity in Business podcast. We try each day to bring you brilliant people from the business and private equity world. Today, we're thrilled to be joined by two leaders from VMG Health. We're gonna talk about cybersecurity due diligence in m and a transactions and its critical role. We're joined today by Brian Wilson and Chad Zoratech, both managing directors at VMTG Health. Brian, could I ask you to take a moment to introduce yourself and tell us a bit about what you do? And then, Chad, I'll ask you to do the same. Happy to do so, and and thank you again for having me. Very happy to be here. Just a little bit background about me. I've been in the consulting business for about thirty years, and having been a partner at a couple of different big four firms, I was lucky enough to land with BMG Health. And today, I lead their cybersecurity risk and AI division. So, I've got a lot of great context and insight on cybersecurity and why that's relevant in, m and a transactions, particularly as it relates to health care entities. And really looking forward to the conversation. Thank you very, very much. And and, Chad, can I ask you to do the same? Similar to Brian, I have over thirty years of experience, consulting primarily around the m and a space. I am a managing director with VMG Health and lead our transaction advisory service division from a financial due diligence perspective. And so I'm also interested in hearing, and participating in today's discussion and talking more about the cybersecurity part of the equation. Thank you very, very much. And and and talk about Brian, why don't you lead us off? Talk to us about you know, so much of deal and diligence is built around financial due diligence, legal due diligence, quality of earnings. Why is that not enough? Why is that not core of diligence, and why are some of these other things so important too? Well, that's a great question. And, you know, I kind of I think back to the days before data breaches were commonplace, and we were all getting emails about, you know, kind of monitoring services because our data has been exfiltrated and is available for sale in the in the in on the dark web. So I think you kinda gotta go back a little bit in time and think about what traditionally the due diligence process was all about. And then when you kind of move forward through time and even just this year, there's some very good examples of reaching or sorry. In '24, very good examples of, recent data breaches affecting millions and millions of individuals. And so what does that mean? You know, if you're looking to acquire or sell, you know, a a health care company, on the buyer side, you know, certainly, you know, the risk that you may be assuming may not be apparent, and I think that's definitely worth exploring and understanding, really getting behind, you know, the firewall, if you will, around, you know, what kind of systems and infrastructure do they have, how is it operated, when was their last incident, if they've had an incident, what's their playbook if they have one. And on the sales side of the equation, it's you know, really, you wanna make sure that, you know, you're you're you're you're you're doing everything you can to support the value, right, and and and being a good potential, you know, partner to the the acquiring entity, etcetera. And, really, a lot of the what we would what we would frame as cyber due diligence as part of an exercise today, it's really it's really kind of basic block and tackling for cybersecurity, you know, in terms particularly in the health care space, in terms of knowing what you have, having inventory and asset list and security and and and threat assessments and all sorts of other good stuff. It's stuff that should be there already. But because of the way that health care operates and there's a lot of moving parts and there's a lot of, you know, buying and selling and everything in between, there's gaps. There's inevitably gaps in the m and a process that, you know, really needs to be looked at holistically. Fantastic. And and and, Chad, you do so much work in the financial health care sector. What what where are some of the places where you end up seeing sort of cybersecurity and some of these issues crop up as well? See it all the time, Scott. And it's really, unbelievable how much of an impact it can have on the operations of a provider even when the breach is actually not at the provider itself, but with the vendor. I think all diligence is much better run holistically as well. I think it's very important for the different specialty teams to be working together so that I, as a financial person, can understand potential financial implications of a discovery that may have been, come across by the cyber diligence team. I think it is in the transaction world. Successful transactions revolve around trust and confidence. And so while my team can help provide some confidence in the in the numbers that are being analyzed, Brian's team can help provide some confidence in the cybersecurity strength of the company. Thank you very, very much. And, Brian, let let me take your two questions specific to cyber due diligence, particularly in health care m and a, both sort of the sell side sort of lens. How do you view this from the sell side lens? Or do you have to be in in in great shape to show the company the best light to potential buyers? And then when you're a buyer, how do you think about buy side risks when you're in health care m and a and cybersecurity? Brian, can you talk about those two issues, sort of sell side on cybersecurity and and buy side? Yeah. And it actually, it it almost cuts both ways, in in some ways almost equally because you you whether you're a buyer or seller, you know, they're the concept of having a comprehensive cybersecurity approach to your organization is is super critical. You know, I I think if you're on the buyer side, you know, there's there's some things that you should be looking for from a kind of buy side risk standpoint. Like, you know, when was the last comprehensive risk assessment, and what standards were they using? Was it NIST? Was it, you know, two point o? Was it HIPAA? Was it anything anything else? Like, what was the standard that was used? Technical assessments, third party risk management that Chad touched on, frankly, is is high on the list. A lot of even the best organizations with the most robust, cybersecurity practices and hygiene have risk through their third parties, where some of these threat actors are coming in through a third party who hasn't doesn't have the same level of diligence around their their program or the same investment, and they find a vulnerability or a weak spot and are able to use that to enter into an entity and do some, you know, significant harm and damage. So buy side, really understanding what what is the, you know, the the seller what have they been doing? What has the experience been like? What is the the in house capability versus some of their service providers who might be filling gaps? I mean, on the on the seller side, you know, again, like what Chad had said, I mean, it it is really about trust and confidence. And, you know, if if you're looking to to, you know, exit exit an organization, no. You really do wanna be in a position to say, we have done recent assessments. We yeah. We maybe we had an issue, and here's here's what that issue was. We reported out. We did a root cause analysis. We strengthened and hardened our system, so we're better today than we were before, which would be an interesting, you know, I think, conversation to have as a seller to a buyer. Like, been through it's not our first rodeo. We know we're we we we know that breaches happen. We have very sensitive information, and we've been through this before. Here's how we dealt with that. We learned from that. And here's the enterprise value that came out of it in terms of system hardening, you know, really just next level threat assessment and really looking at, you know, pragmatically, where are the risks at to the organization, you know, in terms of, you know, kind of day to day risk operational risk and, of course, you know, complying with with rules, regulations, like I said, like HIPAA, for example. Thank you. And, Chad, when you're dealing with health care m and a today, how focused are buyers and sellers around the cyber diligence? I take it a million times more than they were ten years ago. But what do you hear from buyers and sellers when we talk about cyber diligence? Just because of the bad news, unfortunately, that has been exposed with the various breaches. And they've had such huge ramifications on the providers themselves, especially from a working capital, flow, in terms of as an example, the change health care really hindered a lot of payments to a lot of providers. So it is very visible and in the forefront of the sight line. I think, you know, both from a like, from a buy side too is not only assessing the the cyber strength of the target, but if you're going to be relying on that target's technology platform in any way, shape, or form on a go forward perspective, it is assessing it, but also the financial implications of potentially strengthening it. How much will it take to get it up to where it needs to be if it is, if it is at a deficit? And what will it be to kind of maintain that from a strong cyber security perspective. On the sell side or or in a cap raise perspective, you want to, shed very good light that you've put a lot of thought into the cyber element and have done your best to, protect, protect the systems accordingly, so that you are aggressively and proactively, addressing, and mitigating issues. And and and, Brian, let me come back to you on the next set of questions. And and and each of you have these fascinating, fascinating careers. Yeah. You know, Brian, for you, I'll I'll take you back to the question of section set in a in a moment, but you've worked internationally. You've been, in the US army. I mean, what what a tremendous experience you've had in life in here. What are some of the leading practices for cybersecurity due diligence? And how do you sort of frame some of these things in taking the right approach given the vast experience you've had? What what are sort of leading practices for cyber due diligence? Yeah. I think from cyber from a cyber due diligence perspective, you really need to look at it from where is my biggest risk coming from. So if you're an organization that has a significant reliance on third parties, and third parties are very much being targeted by threat actors, That is 100% a place where you should spend some time understanding what those third party's programs are, what your contracts are in terms of they've if you get breached through a third party, what is the, you know, liability there and indemnifications and and kind of third party risk associated with the entity? I think that's top of that's top of mind. I think as as threat actors have evolved over the last several, we'll say, decade and now with AI, you know, threat actors are using AI just like everybody else, and they're doing it they're doing it well, to the point where some of the big providers of AI services are are actively looking to kick them out of their of their offerings so that they can they can continue to to improve their, malware and and attack approaches with the use of AI. So, man, the thing that I think most organizations need to keep in mind is, you know, a a cybercriminal, a threat actor only really needs to be right, wants to get into the organization versus your in house cybersecurity team. They gotta be right all the time. Right? You gotta be constantly defending, looking at the risk profile, and understanding, you know, where that threat may be coming from, again, whether it be through third parties, just touching on the AI. But, again, there's there's been an uptick in zero day attacks, which means that a off the shelf software has a vulnerability that these threat actors now have been able to identify using AI in a much shorter time frame than they could, you know, in years gone past. They had to decompile the code and do a lot more work. Now AI can do it for them. So there's a couple of really, you know, key takeaways here. Again, third parties is one. I think in terms of understanding the data you have and, you know, really the sensitivity and the, regulatory requirements around it. Health care, obviously, lots of PHI and PII and and really sensitive information. And other sectors, right, there's all sorts of IP and and and bits and pieces. But I think that's probably the the the second biggest thing that that if I was sitting in a a CISO's chair or CIO's chair right now, I'd be I'd really wanna make sure I know where that data that is super sensitive and subject to regulation, that I've got that, you know, really being monitored heavily and locked down as best as I can. Thank you. And it seems like a nonstop sort of fight back and forth, especially as the bad actors, the threat actors get more and more sophisticated. Brian, I'm gonna ask you to take a lead on the next question, and I'll ask or Chad, I'll ask you to take a lead on the next question and ask Brian to jump back in. Chad, where does cyber insurance play in mitigating risks associated with health care m and a? And and and, Chad, maybe you could take the lead on that. And, Brian, you could speak up on that as well. Any thoughts there about cyber insurance? Yeah. We're seeing it more and more in a transaction setting, kind of alongside of RWI as well in terms of mitigating the risk. But in terms of also getting those policies, there's gonna be undertaking, additional diligence as well. And I one other financial implication just circling back is and it is on the security part. So any of the privacy breaches could have, pretty, massive financial implications too, and that is causing, you you know, additional diligence being conducted on the cyber equation in in an m and a setting. Cybersecurity insurance, though, is becoming more and more prevalent as a way to, mitigate the the risk and and exposure to to the financial burdens of the of the breaches and whatnot. Thank you. And to your point, huge financial ramifications if there ends up being breaches and threats and and and or lockdowns and ransom and everything else. So many different places, even just leaks end up having huge financial implications and customer implications too. Brian, any thoughts you wanted to add in about cyber insurance? Yes. Thank you. 100%. I think and and Chad touched on it. Most of these cyber insurers today are looking at an organization's approach to managing their their own in house risk. And so that where you can demonstrate you've done certain things to, you know, harden your systems or increase your hygiene, you can actually, negotiate a better deal with the cyber insurance companies we're having. For example, multifactor authentication. If you don't have it today, you're probably not you're probably not even gonna get insurance. But, you know, so most people now have enabled multifactor authentication around key accounts and assets and and and access. So but that's that's pretty low hanging fruit. But you would be surprised some of the smaller kind of organizations that haven't really had to deal with, cybersecurity and and threat actors before, this is all new. Right? And so if you're going through a a deal process and, you know, you're looking at cyber insurance as part of the program, and then, you know, if you if you think about it from having insurance as part of the program underneath the RWNI package that Chad mentioned, but also we're gonna we're gonna strengthen our, you know, our security by, you know, enabling multifactor authentication. And we're going to do something, you know, better than what we're doing today with our backups to have an offline online. Things like that, blocking tackling, those help to negotiate that kind of longer term, cost of insurance and and really, I think, puts everybody in a better position, from a deal perspective. Thank you. And and and take a moment, Brian. Third party risks. How does third party vendors factor into cyber due diligence, cybersecurity? I mean, so many of the big breaches came out of not something somebody doing something directly, but through one of those third parties that they worked with. Talk about that a little bit, third party risk. Yeah. It is a prevalent one. You know, if you're looking at, some of the larger organizations, have been been making significant investments. They're hardening their systems. They're, you know, upskilling their teams and using high quality third parties to fill in gaps. And so your your larger organizations have fairly robust, one, kind of approaches and monitoring. Right? Endpoint monitoring, network monitoring. Actor, you know, tries to undertake a phishing campaign, you know, those things can be identified and stopped quickly. Same thing with, you know, ransomware. We've seen I've had multiple cases in the last twelve months where ransomware started because somebody, you know, did something they shouldn't and and the ransomware was locking up an asset. But it it got stopped in its tracks because the organization had segmented its network appropriately, had the right internal safeguards to really contain it quickly. The problem is if you're looking at downstream your third parties who don't have the same size, scope, and scale or, you know, they haven't made that same investment, they're a good example is they're not, they're not maintaining, the most current operating system on their assets. So there's some vulnerabilities that potentially haven't been patched on their assets. And if those third parties are connected to an organization through, you know, EDI, APIs, other information exchange protocols, now you have a potential path into the organization that's stemming from your third parties. And I think this becomes even more relevant to to your point, Scott. You know, HIPAA has a new proposed security rule, which does extend to BAA, so business associate agreements, from health care entities, which will put a bit more teeth around if you're a BAA, and you're dealing with health care data. There's even additional requirements now that might you know, because if they if they finalize the rule, because with the current, the way things are going currently, it's it's a proposed rule through, health and human services, the Office of Civil Rights. But when it actually gets finalized, we'll we'll see. But if it gets there, it'll have real teeth. And the BAA is everybody that has a BA with a health care entity will have to go back and reevaluate that relationship and those contracts to meet the requirements of the new proposed rule for HIPAA security. And this this issue with third parties is so challenging because you not just want somebody that's good to work with, but you gotta make sure that they're cybersecure and they put deep resources into it. Then it's challenging too because even some of the companies you think would be the deepest and the best at this face challenges too. I mean, that must make it challenging for a company to try and figure it out which third parties, are good or bad on the cyber cybersecurity's side. 100%. And I and one of the most critical aspects of your third party risk program would be audit. You have an audit clause in your contract, use it. You know, go out there and make sure you understand what they're doing and how they're doing it and if they've had an incident and how they responded. So it it's not that dissimilar from the conversation that again, if if if it if it if it, somebody who's selling has had a recent incident and became stronger because of it and strengthened their systems, it's kind of the same conversation you would have with your third parties, underneath your third party risk program around exercising your right to audit. A %. And, Chad, anything else you wanted to add in there about third party risk or or any of the other issues that our audience should be thinking about in the health care m and a world as it relates to cyber? I think the other thing to keep in mind is this is health care that we're talking about. So this isn't where someone gets my credit card number and and maybe rents a Ferrari, and I have to settle it up with a bank or whatnot. And the the breaches can lead to really sizable disruptions within the health care setting, which ultimately could impact the quality of care as well. And so these are all things we want to avoid. So it's not only the monetary side of the equation that has implications, but potentially some of these can lead to quality of care issues as well. And that's why I believe, you know, cyber is always going to get and should receive a ton more visibility within the health care world. You know, a %. When we see this now, when when health systems get hit with ransomware, get closed down for a period of time, it's a disaster for health care provision and quality of care. It's really, really challenging. It's so interesting. We're talking. I'm getting emails from Delta Airlines about their new multifactor author authentication program and so forth. So what you're talking about is right on in the entire business world and particularly in the health care world. Brian and Chad, thank you so much for joining us today on the Vector private equity business podcast, and and and thank you for all you do. What a pleasure to visit with you and VDG Health. Thank you very, very much.