SEC’s updated cybersecurity guidance could have implications for healthcare M&A

Security lock on computer data
Interpretive cybersecurity guidance from the SEC applies to public companies, but private healthcare organizations can glean important information from the document. (Getty/gintas77)

Updated cybersecurity guidance from the Securities and Exchange Commission (SEC) could have a trickle-down effect on the healthcare industry, with implications for mergers and acquisitions, according to legal and cybersecurity experts.

Released by the SEC last week, the new interpretive guidance (PDF) outlines the regulator's cybersecurity disclosure expectations, requiring public companies to inform investors about “material cybersecurity risks and incidents in a timely fashion.” The agency also stipulates that directors, officers and corporate insiders are prohibited from trading securities in the wake of a cyberattack.

Additionally, companies must have policies and procedures in place to prevent corporate insiders from trading stock during the period between the discovery of an incident and a public disclosure.

While the SEC’s updated guidance, initially issued in 2011, impacts all industries, it has specific implications for healthcare organizations—both public and private—given the increase in data breach incidents in recent years.

RELATED: More than 8 in 10 provider organizations don’t have a cybersecurity leader

Laura Hammargren (Mayer Brown)

“Everything is really amplified for healthcare companies,” Laura Hammargren, a partner in the litigation and dispute resolution practice at Mayer Brown in Chicago told FierceHealthcare. “All the points [the SEC] makes apply the same to all industries, but if I were a healthcare company, I would be taking an extended look at this guidance.”

Private companies can glean useful insight about how federal regulators approach cyberattacks. Many privately held companies also adhere to the same financial standards as public companies in order to acquire bank loans or participate in joint ventures, says Stacy Scott, managing director of the cybersecurity and investigations practice at Kroll, which helps companies respond to and investigate data breaches.

RELATED: 13 healthcare M&A deals that made headlines in 2017

Although she said that SEC guidance is “very loose” and “non-prescriptive,” it could serve as the basis for cybersecurity reporting during acquisition discussions. Although most healthcare companies already address cybersecurity incidents as part of their valuation, the SEC guidance “may give [an acquiring company] more backup to say, it’s not just us asking for this—it’s become a consideration for the SEC," Scott says.

State laws can be even more prescriptive regarding mergers and acquisition. A New York law that took effect in March 2017 requires companies that are acquiring or merging with another company to take into account the cybersecurity risks and engage in “a serious due diligence” process that includes cyber risks.

Healthcare is already heavily regulated when it comes to data breach disclosures. HIPAA requires healthcare organizations to report any breach that impacts more than 500 people to the Department of Health and Human Services (HHS), so most healthcare organizations already have protocols in place for incident reporting.

However, “it’s no secret that the healthcare sector has had its share of cybersecurity incidents over the past year,” said Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP in New York who chairs of the firm’s data security group. The SEC guidance reiterated the need for companies to evaluate their cyber risk factors based on the threats to their particular industry.

“The guidance underscores the role of the board and senior management in cyber risk oversight, which is an issue that’s on the front burner at both the commission and private sector,” he said.