It is common for companies and cybersecurity providers to talk about “cyber due diligence” as something that needs to be conducted in connection with pending mergers or acquisitions. A 2020 survey of 1,000 executives at U.S. corporations and private equity investor firms found that cybersecurity threats were the respondents’ principal concern about executing a deal in a virtual environment.
Cyber due diligence, however, must be a year-round concern for companies as they engage external providers of cyber-related services. Regrettably, a recent indictment that the U.S. Department of Justice obtained shows that companies cannot assume that the cybersecurity providers they engage are guaranteed to be trustworthy merely because they offer legitimate cybersecurity solutions.
On June 10, the Justice Department announced that on June 8, it had obtained an indictment in the Northern District of Georgia against Vikas Singla, the former chief operating officer of a metro-Atlanta network security company that served the health care industry, for allegedly conducting a cyberattack on Gwinnett Medical Center (GMC). The alleged attack, which took place in 2018, was conducted, in part, for financial gain.
The indictment charges Singla with 17 counts of intentional damage to a protected computer and one count of obtaining information by computer from a protected computer. It alleges that on September 27, 2018, Singla – aided by unknown others – intentionally caused damage to GMC computers that operated a GMC phone system and multiple printers, and obtained information from a Hologic digitizing device.
As the information regarding this indictment suggests, a company with an established working relationship with an external cybersecurity provider should maintain a “trust but verify” relationship between its internal information-security team and the external provider. Any indications from the company’s intrusion-detection systems that the provider (or an employee thereof) is seeking to enter the company’s networks or systems without clear prior approval may require an immediate cyberdefense response that does not involve the provider. By way of comparison, in GMC’s case GMC reportedly began investigating an unspecified security breach in 2018 after some of its patients’ data began appearing online. That investigation may have been what led to the Singla indictment.