A rapidly-changing cybersecurity risk landscape for life sciences companies.
Cybersecurity continues to be headline-grabbing news, particularly following recent reports of high-profile cyber attacks on a number of major well-known corporations. Conscious of their fiduciary duties, boardrooms of global companies are paying increased attention to cybersecurity, which now ranks as a global risk preoccupying the minds of captains of industry, heads of state, academics, and law enforcement, who all gathered in January this year at the World Economic Forum (WEF) in Davos to debate the best policy and legislative strategy for cybersecurity. To coincide with Davos 2016, the WEF issued a report that warns that failing to improve cybersecurity could cost the global economy USD3 trillion.
Governments and security experts have already singled out the life sciences sector as being significantly vulnerable to cybercrime. In cybersecurity terms, innovation is fast becoming a double-edged sword for life sciences clients. A recent UK Government report pointed to the high levels of revenue generated by the life sciences sector, combined with high investment in R&D and manufacturing, and the high level of reliance on IT systems and providers, as reasons why this sector's cybersecurity risk profile is dominated by industrial espionage, intellectual property (IP) theft, and service denial. Of 26 business sectors analysed in the report, it identified life sciences as the main target of IP theft, costing the UK GBP9.2 billion, of which it attributed GBP1.8bn to theft of pharmaceutical, biotechnology, and healthcare IP.
Only last month another major life sciences company fell victim to alleged theft of valuable trade secrets relating to promising scientific research for a new cancer treatment when two company scientists and three others were charged by prosecutors with stealing research and manufacturing secrets potentially worth hundreds of millions of dollars for sale in China, where pharmaceuticals is a sector targeted by the Chinese Government for strategic growth. With estimates that put the out-of-pocket cost of developing a prescription drug that gains market approval at USD1.4bn, life sciences companies should rightly be concerned about safeguarding their valuable digital assets.
As government concern increases, so does the level of government outreach work with life sciences companies, for example by inviting major companies to participate in cross-industry working groups and encouraging collective industry action, in order to raise awareness of the importance of cybersecurity across the sector and to support companies to communicate effective cybersecurity messages. In the UK, this culminated in the publication of a Ten-Step Guide on board responsibility for managing cybersecurity risk, which the Government claims is used by around two thirds of the FTSE350. Then in March this year, the UK Cabinet Office confirmed that the UK's new National Cybersecurity Centre (NCSC) will open in October and work closely with the private sector in managing cybersecurity risk. Commenting on the NCSC, the Director General of Cybersecurity at GCHQ, Robert Hanningan, has highlighted the role of the new agency in helping to combat the online threats that exist to what he calls "the industrial-scale theft of IP from UK companies and universities".
The particular risks to life sciences companies and the myriad of legal and regulatory requirements to which they are subject can vary significantly in a cybersecurity context depending on exactly where and how they do business. Larger life sciences companies can have several business lines with different geographical footprints, each with their own particular cybersecurity risk profiles necessitating a risk-based but still integrated approach to risk management at an enterprise level to avoid duplication or gaps.
In common with most industries, cybersecurity in the life sciences sector is only as good as the weakest link in terms of a company's staff, processes, and technology. Against this backdrop, life sciences companies are understandably concerned about what standard of care they should adopt and how to structure and deploy resources to comply with the rapidly evolving cybersecurity legal landscape with new and emerging laws on the horizon. This report highlights the key cybersecurity issues for life sciences companies, developments in the law, and what they should do to keep on top of the risk.
Read the full publication here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
