Specialty Podcast: Portfolio Protect Builds Cyber Resilience Across Multi-Site Organizations

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brendan Hall (00:09):
Alright, welcome to yet another Alliant Specialty podcast. I am your hostess with the cyber mostess, Brendan Hall, one of the practice leaders here at Alliant for our cyber insurance and consulting business. We are thrilled today to welcome Scott Erickson to the podcast. Scott is a trusted client of ours at APT Healthcare. Scott, how are you?

Scott Erikson (00:29):
Brendan, I'm doing great. Thanks for having me today.

Brendan Hall (00:32):
You're so welcome. We've also got Michael White, who's part of our cyber team at Alliant, who's joining us to kind of bring things along. Think of us as a Batman and Robin type of team here. We're here today mostly to talk about not just cybersecurity, but specifically a service that we offer here called Portfolio Protect, which is a port for private equity sponsors. It's a portfolio wide cybersecurity risk assessment and remediation program program. Scott, just by way of background, do you just want to give us sort of a high level, who you are, what you do, all that good stuff?

Scott Erikson (01:03):
Absolutely. I'm the CIO for APT healthcare. We're an organization that provides physical therapy services as well as chiropractic and some doctors on staff. Primarily physical therapy is the core business. We're in the Mid-Atlantic area from Baltimore down to Richmond, Virginia. We've got about 90 clinics in the company today. My background is multi-site ambulatory healthcare. I've been doing this for about 25 years at mostly PE backed firms that are either in an early stage or startup kind of grouping. A lot of times a bunch of practices get together and form a mega group and need to figure out how to spin up those centralized services. I've been with APT for about three years now. Came in right as we were doing an EMR transition, about a year and a half after the private equity investment. We're about five years in on that investment now, and it's been a great experience. A great company, great partners. Happy to be here.

Brendan Hall (01:55):
So you're a veteran of a private equity-backed organization. I find it so interesting and what a challenge it must be, especially when you're doing bolt-on acquisitions for various practices, kind of pulling it all together and getting everybody into one way of doing things all on the same systems. Can you speak to some of the challenges around that? Especially having, you said 50 sites, that's a lot of addresses and endpoints to be talking about.

Scott Erikson (02:20):
Yeah, so we're 90 locations, so a little bit more.

Brendan Hall (02:23):
Ninety, sorry.

Scott Erikson (02:24):
Absolutely. This organization has been largely just de novo growth. We've done some acquisitions over the years. They tend to be smaller in size and scale, four or five clinics that will get added in, but just a lot of de novo growth over the years. That creates a different set of challenges than growth that is driven through acquisition. A lot of times when the private equity money gets invested in multi-site ambulatory healthcare, it creates the runway to go do a lot of acquisition efforts. This organization, APT, is a little more focused on the de novo growth. With that said, the challenges are not unique to healthcare. There are some unique healthcare aspects. Most of the time when you're doing an acquisition or a consolidation in healthcare, it's probably been the physicians or the core providers that owned the business, operated the business, or the chief executive officers, as well as treating patients. When you start rolling that into a private equity sponsored organization where you have more of a corporate infrastructure, more best practices, compliance, risk management, all of these centralized functions, it's a growth experience for the providers who have been used to kind of running their own business. That's always a transition. I think it's helped by the fact that these folks are usually working with the broker as they're going through their transactions to sell, so there's some coaching. They understand to an extent what they're giving up, at least conceptually. I think emotionally they start to realize it a lot more once the deals are done. What I've really been enjoying about this company is culturally, everybody gets to maintain a lot of their own independence and identity. We take very much the House of Brands approach as opposed to forcing everybody to use the same name. We pick our opportunities for centralization. Security and compliance is one that you can't cut corners on. That's generally the first place that we start to enforce company standards, when we're dealing with growth and acquisitions.

Brendan Hall (04:28):
Interesting. I literally had a conversation with another sponsor who's in the same space as you all yesterday and just talking to the challenges of this. Hopefully the more steady paycheck gives the doctors a bit of comfort in letting go of the reins and giving it over to the folks that they've sold to.

Scott Erikson (04:43):
There's an alignment component to this. If we're acquiring somebody who's built a practice up and they have 5, 6, 7 clinics that they've been running, chances are we're acquiring them because they're well run. Typically we would have that person who was running it become the regional director for that group of clinics in our organization. That means that we need them to be incentivized. They're going to get a payout when we acquire them, but we try to structure deals so that there's incentives, as well when our next transaction happens that they're going to essentially get a second opportunity to monetize their efforts alongside of us. I think that alignment really is critical to success, especially in faster-paced growth organizations.

Brendan Hall (05:24):
Everyone's got skin in the game. That's great. As it relates to cybersecurity, so you kind of come into this portfolio situation, you're told by your sponsor, hey, you're going to go through this risk assessment program, you're going to work with Alliant, who's also our insurance broker, they've got a cybersecurity team. Can you talk about that experience and how that's helped you kind of bring your program along?

Scott Erikson (05:43):
Sure. A unique aspect here was there was very little tech when I arrived in this organization. If we were opening a new clinic, we'd drive over to Costco and whatever was on sale for that day was the laptops that went in to the clinic. The routers were the Comcast Xfinity router, and that's what we were using as a firewall. From a security perspective, and this was evident within a day of being here, there were significant gaps on my arrival. Fortunately, right after I started was when York introduced us to you all and we started this work with Alliant. I had essentially a mandate from the board to start to go through the assessment experience and then remediate. I was encouraged that there was a lot of overlap between the risks, the gaps that I had identified on my own in the first few weeks that I'd arrived here, alongside of that first-year roadmap and assessment that Alliant put together saying, hey, these are the places you want to focus to improve your maturity. That was validating and then supportive as well because now I had the sponsor's compliance aspect pushing to say, hey, you need to go make these changes. That really helped because our leadership, our board, our operations side is still very much in that entrepreneurial mindset of we're not going to spend any dollars unless it's reactive to a crisis kinds of things. This cyber stuff is a lot about balancing proactive defense investment. There was no question that I needed a network directory, that we needed perimeter security appliances, that we needed all of these multifactor enforced. The relationship between the PE sponsor and Alliant made that so much easier for me, working with our steering committee and our governance model to get the approvals that we needed to get the relative prioritizations in place.

Brendan Hall (07:32):
That's great to hear because, obviously when we designed the program very much what we hoped for. It's good to hear that the gaps that you had already seen align with the gaps that we did, but that it helped you kind of push forward the agenda of budgeting for cybersecurity. Because I get it, the entrepreneurial spirit like, hey, let's not spend any money unless we absolutely have to. Cyber's one of those things you don't want to have to come out of pocket because the expense can be way more than you think if you let an accident or some kind of emergency happen. Mike White, since you're here as well, with this program, how do we keep the sponsors? We do the assessment and every month we're meeting with the companies to make sure they're sort of ticking off the boxes and bringing the program along. How do we keep the sponsors in the loop to make sure they know the investment that they've made is actually paying off?

Michael White (08:18):
That's a key part of our program, Brendan. It's absolutely a thing that we put a lot of focus on. As Scott talked about earlier, we were involved early on with supporting the justification and helping get approval. Then after that, we have regular meetings with the sponsor where we present to them, we talk to them about what's been budgeted by APT and their other portfolio companies. How are the companies doing to their budgets and their plans, and then what's coming next? What are the next steps to be expected? We meet with the sponsors, we go through that level of detail with them. We give them full transparency into what their various portfolio companies are doing. This gives them the understanding of how the cyber programs are maturing at each one of their firms. The sponsors we speak to, they really appreciate having that transparency into what each one of their companies are doing from a cyber point of view and knowing that the spend is being put to the right areas that the firm needs it.

Brendan Hall (09:19):
Great. Yeah, that's a good overview and again, part of what we put in this program together. You got to make sure everybody's pulling the oars the same way. I'm glad to hear that's all working out as intended. Now, Scott, we were looking at your program today. There's so many different transitions. You're basically standing this up. Are you primarily a cloud-based operation, and if so, what has that transition been like?

Scott Erikson (09:39):
Yeah, I think that's been the, I might have said saving grace. I will say today it's been one of the most exciting and interesting aspects of this organization. Because while there was incredibly little IT tech stack infrastructure when I arrived here, the tech they were using is all in the cloud. So email, we were on Google, we're Microsoft now. The accounting package was web-based. The medical records system and revenue cycles were all cloud apps that were there. When we did our assessment with Alliant, it was clear that we were not where we needed to be on that CIS maturity score. I think that the effort involved in closing the gaps has been less costly and less resource intensive because of our heavy focus on cloud. I'll give you some examples. I think when I got here there were two file servers in the enterprise across 90 locations. That's not bad. They were legacy like old file servers, like just one had three shared folders, the other was a 10 user domain controller. We moved both of those into SharePoint and now have zero server infrastructure physically within any of the locations. It's computers, it's internet connections, it's some security appliances, but there's no servers anywhere. I think that represents a material reduction in our risk of ransomware. A lot of times the way the ransomware attacks happen is you get a device compromised and then it just looks for any NTFS shares it can find out there to then go and encrypt. Even if somebody had a OneDrive or a SharePoint folder replicated locally to their device, we've got version control and the native backup tools that are inherent to Microsoft and Google's cloud file storage that make it a whole lot easier to do a recovery if something did get compromised or encrypted like that. We've spent a lot of time partnered with Alliant focused on what are the real risks, what are the places that are balancing the best practice compliance components with? This is really a place where we're struggling right now. We do a lot of work with attorneys. We've trained our staff. If an attorney wants something, needs something, you got to respond immediately. Attorneys are notoriously underinvesting in their own cybersecurity, so we get phishing attacks from our partner attorney groups. We've trained our front desk to be happy clickers on those phishing attacks, which is self-inflicted pain, but it's the reality of how we operate our business. We're just now implementing enhanced email security with Check Point. We worked through a vendor selection process that Alliant helped us structure our key questions a little bit on. That's really our core risk profile, more so than an organization that might have a lot of physical servers and assist file shares out there. It might be more exposed to something that ransomware.

Brendan Hall (12:31):
Oh, that's great to hear. In summary here, you've come into this organization very mature. The assessment process helped you sort of really develop a roadmap, and now we're kind of moving above and beyond just par up into far more sophisticated and mature approaches to these sort of what are the most prolific attack types out there, ransomware specifically being one of the most damaging financially and reputationally. We love to hear that. So glad, Scott, to have APT as a client and part of the program here. Any closing thoughts?

Scott Erikson (13:00):
I would just comment on really alignment. I imagine a lot of times people in IT ops, security ops, working with an outside partner on assessment and gaps can feel a bit threatening. Essentially you're bringing somebody in to tell you what you're doing wrong, where you haven't closed these gaps. I think I was a little bit fortunate timing-wise that this kicked off. I had some sort of plausible deniability around how we had gotten here. The reality was the private equity sponsor and Alliant have a vested interest for me to get to the level of maturity that I want and that I need in terms of our posture for cybersecurity. I couldn't be more proud of the work that we've done in that. We've done a lot of IT stuff. We've replaced the whole EMR. We've moved from Google to Microsoft. I think the maturity of our cybersecurity posture is arguably the best accomplishment that we've had in my three year tenure here. I think a lot of that came because everybody got aligned between the board, the steering committee, the sponsor and myself, and certainly Alliant with your guy's continued help. I'm optimistic we're going to be up at the top of the curve for the portfolio when we do the next level of reassessments.

Brendan Hall (14:11):
Wow, that's a great closing thought. I really love that. Thank you so much again. We really appreciate your business and your partnership and obviously your time today being on the podcast. Happy holidays to everyone who's tuned in today, and let's make a great 2026.

Michael White (14:25):
Thanks, Scott. Great seeing you.

Scott Erikson (14:28):
Awesome. I appreciate y'all's time and all the support and help.