Cybersecurity Insurance Is Not a Cybersecurity Strategy
Life sciences companies, especially biotech and small pharma, have lagged behind other industries in their adoption of technology to optimize business performance and get to market more quickly. This also means there has been a delayed appreciation of the cyber threats to their businesses (financial, reputational, or regulatory) that result from breaches.
But now it seems that some biotech execs (and possibly board members) are reading the headlines, or listening to their counterparts in other sectors, and are realizing that they cannot continue to ignore the threats to their intellectual property (IP) and data integrity as they move products through the clinic and the regulatory approval processes to the commercial market.
In biotech, we have the added responsibility of ensuring our data is accurate, complete, and reliable to ensure product quality and patient safety.
In a recent poll of biotech companies, there has been in increase in the acquisition of cybersecurity insurance to protect their companies and data against hackers looking to either make a quick buck off unsuspecting companies or challenge questionable business practices as activist hackers (aka hacktivism).
But cybersecurity insurance is not a cybersecurity strategy. It is only one risk mitigation tool, but as companies like Merck have discovered, having cybersecurity insurance does not offer full protection or guarantees.
While there is no way to 100% protect a company’s business operations, data, and IP from cyber threats, there are ways to mitigate risk through a cybersecurity initiative focused on people, processes, and technology. There is an expectation that reasonable precautions be taken and just as we focus on quality by design for drug products, we need to be shifting to privacy and security by design within the organization.
At the heart of this initiative are three basic fundamentals: an understanding of what needs to be protected, the value associated with these assets, and the company’s overall appetite for risk (risk tolerance). These drive the rightsizing of company’s cybersecurity strategy to safeguard its assets and reputation.
This is not a one-and-done activity. As biotech companies move therapeutics through the clinic and into commercialization, they are building value in the company and its associated assets. Not only is the company evolving and becoming more complex, but so are the regulatory and privacy requirements, use of technology, and the cyber threats. Hackers are getting access to better technology and can do more damage with less cunning and effort, too.
Since cyber threats present enterprise business risk and are not just a technology problem, the cybersecurity initiative needs to start at the top with executive leadership and oversight by the board of directors as part of their risk management responsibilities. At the board level, this can be part of the audit committee or a separate risk committee.
FDA has begun to generate guidance documents for the industry and organizations like International Society of Pharmaceutical Engineers (ISPE) have created special interest groups (SIGs) to provide additional guidance like we have seen with regulations such as 21 CFR Part 11.
Cyber threats are not going away and as biotech companies have become even more virtual, relying on cloud solutions, CROs, CMOs, and 3PLs, the complexity and interdependencies introduce additional risks to company assets, including data, providing added justification for making cybersecurity a major corporate priority.
Biotech companies without proper governance and oversight often throw data, systems, and processes ‘over the fence’ to vendors assuming that data protection is their responsibility. Just as a biotech would not simply ‘trust’ a CMO (contract manufacturer) to do the right thing with their product, biotech companies should be paying similar attention to outsourcing business functions and systems.
Early-mid stage biotech companies appear to be struggling with common challenges:
1. They see cybersecurity as IT’s responsibility and technical in nature; there is little to no executive level buy-in and no board oversight.
2. There are insufficient resources to understand cyber risks, generate an appropriately sized cybersecurity strategy, and monitor/respond to potential/actual threats.
3. There are no formal response plans.
4. There is little to no training on cybersecurity risks and responses including social engineering risks.
In life sciences, we are used to understanding and assessing risks, and adhering to regulatory guidelines. We operate in an industry that works together to generate guidance documents and systems for best practices for functional areas we value.
Biotech companies need to value their IP and digital assets, appreciate the threats, and make cybersecurity a corporate priority involving everyone in the organization. As a corporate priority, resources (financial and human) can be appropriately allocated to begin to reduce, but never eliminate, cyber risk.
There are frameworks for biotech companies to lean on and external resources that can be retained to assist with the control environment, risk assessment, control activities, information and communication, and monitoring activities. This is not that different from managing and reporting on the financial activities and condition of a company. On the financial side, there is accountability at all levels and has become a necessary part of doing business.
For biotech companies, embracing cybersecurity as a corporate initiative, simply a cost of doing business, will be a significant cultural shift. But one that may save its assets.
About the Author
Terri Hanson Mead provides IT compliance and IT strategy services for biotech, medical device, diagnostic, and digital health companies. Through her companiy, Solutions2Projects, she helps life sciences companies align technology roadmaps with corporate objectives and meet IT compliance requirements in a complex and regulated industry.
