With the recent increase in cyber crime making headlines across the world, it’s no wonder that the Life Science sector classes cyber crime as one of its top threats. Pharmaceutical, research, clinical trials and similar organisations all rely on technology to conduct their daily work, share information and communicate and the compromising of these systems can be devastating.
These companies rely on a reputation for reliability when working with clients, the government and investors, yet hackers, foreign spies, disgruntled employees and criminal networks are a risk to breaching the networks of these companies and potentially causing significant financial and reputational damage in the process. In this article, Gallagher will take a look at how cyber attacks pose a risk to the Life Sciences industry and what these organisations can do to help protect themselves.
The nature of the Life Sciences industry means that they are likely to hold sensitive or valuable data, which can be stolen by hackers for ransom, extortion and profit. As well as this, Life Science companies face significant regulatory issues if they fail to secure their data – even with GDPR in place, some businesses are unaware of the extent of the fines they could receive for failing to protect their data. These factors, combined with a general lack of employee security knowledge and a lack of investment in security infrastructure puts companies at risk.
This is reaffirmed by Gowling’s Digital Risk Calculator1, which highlighted that external cyber risks are the most concerning category of digital threat, with 51% of respondents believing that the threat was due to increase further over the following three years. The second biggest threat was risks related to highly sensitive and valuable data (55%). Other areas of concern included customer security (57%), identity theft (47%) and insider crime from employees (42%). While no one knows the true extent of insider theft, it is likely that company insiders are the biggest cause of proprietary information theft. Plus the increasing use of ‘cloud’ storage facilities and online networks mixed with sensitive information about pricing and formulas has created a potentially lucrative target for cyber attacks.
So how can you protect your business?
To begin to protect your business against cyber threats you need to understand what your assets are. What parts are critical to the day-to-day operations of your business and product development? What parts of this could be appealing to hackers or are protected under regulations?
Life Science companies need to take the time to catalogue these assets so that they can better understand their exposures and figure out what areas need security improvements. Below are some areas you should consider when carrying out an audit
Identifiable Personal Information and Personal Health Information
From employee and customer data through to credit card information, the vast majority of businesses will hold personally identifiable information, which can be costly if stolen or lost. In addition to this, healthcare companies will hold personal health data on their patients which will cause a regulatory issue and put them at the risk at litigation if breached. It is good practice to anonymise this data, rendering it mostly useless if stolen
Corporate Confidential Information
Ranging from the big things like formulas, research, corporate strategies, clinical trial data and intellectual property through to trivial things like emails and memos, this data can cause great harm if lost. Leaked emails can cause reputational damage, while formulas can be stolen by foreign competitors – costing you revenue and wasting years of research.
Software and systems
Third-party software can leave you exposed to cyber-attacks, especially cloud hosting services. Only the relevant people should be given access and you should regularly update software to prevent ransomware taking hold through exposures in outdated versions.
It is important to monitor your hardware to ensure that your servers are physically protected. The same applies for employee laptops and mobile phones. It is vital that the data on these is encrypted and employees are aware of the importance of keeping these devices secure.
Company Websites, Social Media and similar sites
You should take the time to assess who is in control of these websites to help prevent hackers from posting malicious content on your feeds or holding your accounts at ransom.
Lastly, while you may not consider your reputation an asset it is certainly something that can be impacted by Cyber attacks. Once an event has happened, it can be difficult to repair reputational damage.
How do you protect these assets?
Once you’ve assessed what your assets are and how they can be impacted by cyber crime, you need to put a system in place to keep them secure. While you should already have security measures in place such as firewalls, access authentication and anti-virus tools, these will not always successfully keep out a dedicated career criminal. You should dedicate a portion of your security budget to detecting back-door intrusions and to prevent these from happening where possible. You cannot prevent every breach however, which is why you need to prepare a breach response plan to help clean up after the fact. This will help you to establish how the breach happened, the extent of the damage done and how to prevent similar attacks in future.
Of these breaches, data breaches are the biggest exposure2 as they often involve client information, and as a result of this they also tend to capture the imagination of the media. While many Life Sciences companies will assume they do not hold enough of this data to warrant the purchase of cyber insurance, each company will have to do their own assessment. The loss of clinical trials information for example, could result in significant costs to replicate the trial as well as unprecedented delays. As well as financial loss, cyber exposures can also lead to increased costs, loss of productivity and revenue to those impacted.
Cyber insurance can help with many of these issues, firstly by addressing the first and third-party liability that the breach causes and also by helping you to report and respond to the breach.
As well as financial loss, cyber exposures can also lead to increased costs, loss of productivity and increased revenue
Unique areas of attention
There are a number of areas that the Life Science industry is exposed to that many other industries may not be. Here we highlight some of these.
Mergers and Acquisitions
M&A activity is increasingly more common in the Life Sciences industry. During the integration period of two companies there can be an increased risk of data breaches due to the combining of processes including IT systems and hardware. If employees have been made redundant as part of the process, then it is important to take their mobile phone and remove any access they may have to company drives. Disgruntled ex-employees can present a risk of intellectual property theft or sabotage. New employees must be retrained to ensure that they meet the same standard of security already within the company.
Many Life Sciences companies use third-party companies to store, manage or process data. This presents a security risk as you cannot always control how these companies protect or control their data. You should also be aware of where this data as held, as it could be subject to different country restrictions. Many companies handle this by imposing their own data security practices on the vendor and carry out audits to ensure they comply
Many Life Sciences use emerging markets as an untapped place to market and sell their products. This means that the infrastructures and research labs established in these places need to maintain the same standard of compliance and control systems as they would in the US or EU. There are also risks concerning local customs and lax regulatory environments which need to be considered. In addition to these risks, there are also language barriers which could prevent the correct risk management procedures being implemented so due diligence should be carried out at all times.
Life Sciences companies have additional contractual requirements which they must fulfil to indemnify themselves when working with partners and vendors. Good risk management should involve negotiation with these other businesses including, where necessary, requiring insurance to support indemnity obligations.
The Life Sciences industry works at the forefront of research and development to generate one of the most important sources of innovation and economic growth. This can make the industry a prime target for cyber criminals and creates a need for businesses to protect their intellectual property, customer data, and other similarly valuable assets.
There is a need to strike a balance between cost-effective security measures as well as a need to anticipate and prevent attacks where possible. This can be achieved partly by risk management, by making an inventory of your assets and putting security in place to help protect them. You cannot anticipate every attack however, and this is where cyber insurance comes into play by helping you to repair the damage caused by the breach after the event.