Cyber Security Regulation in the Financial and Healthcare Industries

Cyber incidents across industries have been increasingly on the rise and as a result, regulators have had their hands full struggling to keep ahead of the growing problem. In the past three years, more than 200 bills, amendments, and legislative proposals have been introduced by Congress to combat cyber security issues facing American industries. Information security, typically viewed as an issue mainly for IT departments, is an issue that needs to be address throughout every department, and regulators have been working hard to make sure that happens.

Most major companies today are subject to a multitude of regulations, at both the state and federal levels. It can be difficult to discern which companies are subjected to which regulations, as some federal and state regulations can apply to one, multiple, or all industries. Companies need to take extra care in realizing which regulations apply to them, as the penalties for non-compliance can be incredibly steep.

One such regulation that touches most, if not all, industries, is the Cyber Security Act of 2015. On December 18, 2016, the President signed into the omnibus appropriations and tax bill that included the Cyber Security Act. Essentially, the act sets a paradigm for how federal departments and agencies, state tribunals and local government agencies, and private companies receive and share information. In regards to private companies, the act provides a safe harbor from civil liability for information-sharing activities; however those activities must be conducted according to the act’s provisions in order for company to qualify for the safe harbor. This act has a complex framework due to the amount of entities it touches, and it’s a step in the right direction in the fight to protect against cyber security attacks.

Certain industries, such as the financial sector and the healthcare industry, have complex webs of federal and state regulations to comply with. It is important to recognize what regulations apply to what companies and regulators are out to make sure companies have policies and procedures in place to protect information security.

Financial Sector

The financial services sector is one of the more regulated sectors. The Federal Financial Institution Examination Council (FFIEC) is empowered to prescribe uniform principles, standards and report forms for exams by the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Officer of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. The FFIEC provides guidance on cyber security for financial institutions and they expect their member financial institutions to adhere to guidance and enhance their cyber security frameworks to protect against a wide range of cyber attacks.

The FFIEC is not the only entity with guidelines for financial institutions regarding cyber security. In 2015, the SEC released a guidance update to help advisors create effective cyber security policies and procedures. The Commodities Futures Trading Commission (CFTC) is another entity focused on cyber security and now requires financial entities to conduct five different types of cyber security testing. Additionally, financial institutions are subjected to acts such as the Gramm Leach Bailey Act (GLBA) which allows insurance companies, commercial and investment banks to be within the same company and mandates that companies secure private client information.

There are many more federal and state regulations that financial institutions are subject to and must comply with. These include the Fair Credit Reporting Act, the Right to Financial Privacy Act, the FTC’s Safeguards Rule, as well as many more. All of these acts deal with how financial institutions store, use, receive, and send client information. Federal and state regulators take enforcement of these rules and regulations extremely seriously and non-compliance can lead to very high penalties.


Healthcare is an industry notorious for having to comply with very strict regulations. The healthcare industry sees at least one cyber attack per month and patient data has been lost or compromised at half of all healthcare organizations in the last year. That is an incredible amount of risk that patients face when they need healthcare and the only way to obtain it is to provide their personal information. Healthcare entities have been known to be subject to risks that they have known about for up to three months and nothing has been done to quell that risk.

Healthcare is such an important sector to regulate that it is the only sector explicitly addressed in the above-mentioned Cyber Security Act of 2015. The Act required the Department of Health and Human Services to establish a task force that will submit a report to Congress by December 2016 which will outline the preparedness of both the Department and the industry to respond to cyber attacks. This will ideally snap the healthcare industry into focus when it comes to cyber security and induce more proactive procedures to protect sensitive and regulated information.

While the Cyber Security Act is probably the most recent and prominent regulation for healthcare to comply with, there is a long list of other regulations and acts that require strict compliance. HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) are two of the more prominent regulations that have been causing waves in recent years.  Both acts address privacy and security concerns when it comes to patient information and they are being heavily enforced by the Federal Trade Commission (FTC).

The healthcare sector is rife with sensitive information about individuals that needs to be protected and regulations in place need to be complied with in order to keep patients safe from increasing cyber attacks. While these regulations mentioned are the ones currently in the spotlight, there are many, many more and the players in the healthcare industry must be ready to comply with each and every one.

With a growing amount of cyber attacks, it is extremely important for any company understand how to comply with cyber security regulations in order to mitigate risk. Companies should adopt policies and procedures that fit their corporate plan while being in strict compliance with both federal and state regulations. Many cyber attacks and regulatory non-compliance fines can be avoided by taking the time to understand your company’s cyber needs and implementing appropriate security precautions.


By Katie Evans | McCullough Sudan PLLC


The Importance of Data Security Due Diligence in Mergers and Acquisitions

Mergers and Acquisitions in almost all big industries have been on a rise in recent years. With this influx of M&A comes a heightened risk for cyber attacks during the process. As many experts agree, the time has come for M&A teams to start placing a larger emphasis on determining the security position of the target company during the due diligence process, when there is still time to correct any issues or get out of the deal if necessary.

Generally, IT teams have been more concerned with how IT systems between buyers and targets will integrate, thus the actual security side of the IT realm may go all but overlooked. Reasons for overlooking this area can vary from a lack of understanding of the area and buyers not knowing how to handle it, to target companies being reluctant to disclose information because they do not want to risk a lower valuation or the deal being abandoned if problems were uncovered.

Failure of a target company to meet its privacy needs can result in heavy liability for the buyer, as the buyer typically assumes the target’s liability when merging. Target companies must be willing to provide their security information while buyers need to be proactive in seeking that information out during the due diligence process. Data security is a business risk as well as an IT risk and therefore having a more complete picture of the target company’s data security position can ensure the buyer a more accurate valuation and understanding of where risk lies and how to correct any lingering issues.

Buyers should review materials related to the target’s data security including, but not limited to, policies and procedures for the collection, encryption, storage, use and destruction of private information of customers and both buyer and target employees. By reviewing such materials, buyers gain an understanding of the rights and obligations of the target that are related to personal information. Additionally, buyers should request a history of any previous breaches or security incidents and what was done to correct them. Knowing what, if any, security issues the target had in the past can help the buyer protect against such issues in the future after the transaction is complete.

Data security due diligence is very important in the M&A world and it has gone all but overlooked for too long. Compliance with a number of federal laws including the Sarbanes-Oxley Act, HIPAA and HITECH, and the Fair Credit Reporting Act, as well as a number of state laws, depending on the industry, should be assessed during the due diligence phase to lessen the risk of any non-compliance and associated penalties. The importance of data security due diligence needs to be realized as mergers and acquisitions are not projected to slow any time soon and penalties for breaches leading to federal or state non-compliance can be extremely detrimental to any individual company.


By Katie Evans | McCullough Sudan PLLC

Current Drivers of Healthcare and Hospital M&A

In recent years, many industries have seen big jumps in mergers and acquisitions, but the boom in the healthcare industry has been notably unprecedented. In 2015 alone, M&A announced deal value totaled in the $5 billion range. While there were at least five mega-mergers included in that number that were $20 billion dollar deals, the healthcare industry as a whole was still in large excess of the average annual deal value as compared to the previous decade. And it is not predicted to slow down any time soon. So, what is driving all this activity? Below we will discuss a couple of the major factors attributing to the largest M&A surge we have seen since 2007.

The Affordable Care Act

Healthcare reform, while not the only driver, has been a major element of the M&A boost. The Affordable Care Act (ACA) has expanded access to healthcare through individual health plans and this has added approximately 14.7 million new people in two years. This massive increase has created opportunities for those that want to “scale up” and for those healthcare payers and providers who have been looking to enter the market. While the penalties for noncompliance post-close can be extremely high and has killed deals in the past, careful due diligence during the transaction can ensure that the deal goes through and the resulting entity is in complete compliance.

Generational Change

Generational change pertaining to the Baby Boomer generation is a hugely powerful force in the healthcare space today and long-term care is in a historic bull market. As the Baby Boomer generation begins to hit retirement age, there will be a surge in demand for senior healthcare, a type of healthcare that buyers perceive to present all but guaranteed security in senior care centers. While “guarantee” is a tricky word, the Council on Social Work Education recently released a study that over 50%, approximately 73 million, baby boomers between 2011 and 2029 (2029 represents when the last round of boomers will hit retirement age) will suffer from at least two chronic illnesses by the age of 60. With these waves of elderly people that need multiple specialists to attend to multiple diseases, hospitals will take on more of the financial burden because those people are more likely to end up in a hospital. This need for alignment represents yet more opportunities in the industry for mergers and acquisitions.

The surge of retirement-age Baby Boomers is driving an increase in enrollment in Medicare. This sudden increase, as with the increase in Medicaid, is driving up revenue for providers of the government-sponsored programs. However, there are some large insurers who do not have adequate Medicare and Medicaid exposure and that could drive further acquisitions by big players in the industry. An additional incentive for possible acquirers is the prospect of cutting costs by consolidating their operations. Insurers are facing physician groups and hospitals that are getting bigger and bigger and this is triggering the insurer’s consideration of mergers to maintain negotiating power.

It is no surprise that the long-term care market is experiencing sustained growth in light of the growth of retirement-aged people and that investor demand is incredibly high. There is, and still may be, some uncertainty of the availability of long-term care properties in the industry, however sellers have sated this uncertainty to a degree, for now, by rising to the challenge of meeting this demand because they don’t want to miss this strong bull market.  Valuation presents a problem because it is extremely high however this may lead to consolidation of some of the largest players in the industry, because, between the biggest insurers, the premium could be lower. In the coming years, we may see more consolidation between companies of the same size.

With the amount of retirement-age baby boomers on the rise and exiting the workforce, healthcare is facing a growing shortage of working professionals. Nursing is a well-documented area facing a huge shortfall in professionals, as well as primary care physicians. Due to the length of the training programs associated with these professions, this gap has been and will continue to be a difficult one to overcome. Additionally, the physicians that are coming into the workforce generally have a different work ethic than the baby boomers did. Many are demanding more balance between work and personal life, meaning less total work hours. And it doesn’t stop at nurses and physicians. Along with the shortfall already seen in geriatric care givers, there is also a need, and this need will spike as the baby boomers continue to retire and require aid, for direct care workers, particularly health aides and personal care aides. While this may create jobs in the future, the amount of people skilled at such jobs may be scarce. Mergers and acquisitions between companies positioned of provide this type of care could help ease the burden.

VC Investments

Renewed confidence in the healthcare industry is pushing a fundraising-investment-exit cycle. Big exit M&A deals are closing faster than in previous years and thus offer higher and faster returns on investment. VC investors are looking for fast returns and they are getting them due to the sustainable industry expansion, strong consumer demand, and low interest money. With the quick exit in a hot market, investors are more likely to raise another fund with the dollars they would typically have reserved for existing coming support but now don’t have to due to the quick exit. In the short-term, this is working out well for everyone and this type of VC investment is generally focused on short-term. However, VC investment aides M&A in that it encourages new ideas, synergies, etc. all working toward the continuance and success of M&A in healthcare.

There are many other drivers, along with the above mentioned drivers, that have resulted in the industry consolidation that we see today. The ability of payers to absorb providers and vice versa has opened new doors in the market place and has turned those who might not have been players, into players ready to consider M&A deals. These M&A deals are not predicted to subside in the coming years, especially with the baby boomers entering retirement and enrolling in government-sponsored programs. However, with the deals come positive changes in how patient care is handled as well as how payers and providers operate with each other. It may look like chaos right now, but it is no different than the look of other industries that successfully went through similar transformations.


By Katie Evans | McCullough Sudan PLLC

Do’s and Don’ts for an American Company Expanding Abroad

Today, the United States remains the world’s largest national economy with a staggering $17.947 billion current-dollar GDP. Starting and operating a successful business in the United States is no small feat and requires overcoming fierce competition from both local and international businesses. However, ever-increasing globalization paired with the shear size of the American economy has made it so that solely operating within the American market no longer satisfies many American business owners. Instead, many business owners are inspired to expand their businesses globally into new international markets. Expanding a business globally is a daunting task for any business owner, requiring raising vast amounts of capital and detailed business plans to name a few considerations. The inherent tendency of business owners seeking to expand internationally is to first consider obvious issues such as how to raise the capital necessary and where to expand the to. Legal considerations often take a backseat to these and can often cause expensive and complicated issues for the company later in the expansion process. Here are a few do’s and don’ts that highlight legal issues involved in expanding an American business or company globally:


  • Locally:
    • Ensure local demand
    • Form partnerships with local companies (distribution etc.)
    • Attract local workers with competitive benefit and compensation programs
    • Be mindful of local translation / advertising for product
    • Industry-specific regulations / gov. specific regulations
    • Local laws / legal processes
    • Set up proper local tax / financial infrastructures
    • Form strong teams in both locations


  • Logistically:
    • SWOT analysis (Will the new market pay more for your product?)
    • Product gap analysis (Comparing your product to local product)
    • Develop risk management plan
    • Ensure product passes patent / trademark review


  • Locally:
    • Overlook language barrier / local customs and norms
    • Cut costs on investing in local talent
    • Non-compliance with local laws (labor, immigration, employment)
    • Non-compliance for international transactions: These need to comply with both US and local rules.


  • Logistically:
    • Use same marketing strategy abroad as in the US
    • Overlook best structure for international business dealings (local branch office, foreign subsidiary, joint venture etc.) and different tax, liability and burdens of each
    • Overlook whether to make foreign workers company employees or independent contractors (liability varies)
    • Forget intellectual property protection varies from country to country



Tiffany Auber | McCullough Sudan, PLLC |

Stock for Stock Acquisitions

Occasionally in acquisitions, the Buyer may offer its stock (and cash) as consideration in exchange for the stock or assets of the Target. So essentially, the Target is in effect investing in the Buyer’s business by taking the Buyer’s stock for payment.

Where this becomes an issue is when the Buyer is a private company that uses its stock as consideration. Many times the Buyer will circulate a draft of the Stock/Asset Purchase Agreement requiring the Target to make extensive representations and warranties, yet making very minimal representations itself. This is a common Buyer trick that Targets should be aware of.

Therefore, if the Buyer is issuing stock to the Target’s shareholders as consideration for the acquisition, it is reasonable to request that the representations and warranties of the Buyer be as extensive, or nearly as extensive, as the Target’s. However, if the Buyer is a public company using its stock as consideration, these representations and warranties are typically reduced because this material information is required to be disclosed to the Securities and Exchange Commission (SEC) and is publicly available for review and incorporated into the Stock/Asset Purchase Agreement by reference.

Brexit: Implications for the Market and the US

In what Boris Johnson calls a “Glorious Opportunity”, Great Britain has voted by referendum to leave the European Union. Markets this morning have been jolted by the news. The pound is sliding and investors are nervous. But, what will be the long term consequences to Great Britain, countries like Scotland and Northern Ireland, as well as the future of the European Union?  With a weak European and global economy, and an ongoing refugee crisis, could we see further disruption to the EU and markets?

Will London have the wherewithal to remain the financial capital of Europe despite breaking from the EU.  And, bringing this closer to home, will the Brexit vote have broader implications for the upcoming US election that features similar nationalist/anti-establishment undercurrents against a globalist/establishment party.

Will the Brexit market disruptions have an impact on the American Main Street? Certainly, Brexit will cause an immediate disruption to the global economy. This is likely to negatively effect US companies in the short term. However, will there be a flight of European capital to the US for perceived stability?

We will follow the unfolding story and look for the business opportunities among the market disruptions.