Cyber Risk and Life Sciences: Adapting to the Changing Landscape
The life sciences sector is undergoing significant transformational change bolstered by the increasing adoption of digital technologies. Drug discovery increasingly utilises disruptive technology such as artificial intelligence, with the automation of routine tasks enabling the re-routing of talent. Furthermore, cloud platforms and the Internet of Things (IoT) are being utilised in R&D to facilitate more efficient synthesising and analysis of data.
The COVID-19 pandemic is accelerating the pace of digitisation across every stage of the product lifecycle. Pharma companies have had to scale the production and supply of products to health organisations; at the same time, companies are under pressure to develop new therapeutics and vaccines for the virus.
The move to adopt new technologies and ways of working to bring products to market urgently could mean that assessing cyber risk is not prioritised, leaving organisations exposed.
Adapting to a Changing Environment
Criminals target Life sciences companies to obtain both the significant personal data they hold and the intellectual property on new drugs or diagnostic tools. The COVID-19 crisis has only accelerated the interest of cyber-criminal activities in the sector, including alleged state-funded cyber-attacks.
The consequences of an attack on existing operations, intellectual property safeguarding, and reputation are severe. As every system has vulnerabilities, life sciences companies should take a holistic approach to reviewing each stage of the product life cycle. Identifying vulnerabilities will allow companies to devise a robust risk mitigation plan.
- Undertake an exercise to define the main forms of cyber threat faced by the business; identify the underlying cause and loss consequences (such as liability to stakeholders, reputational damage, property and asset damage, and business interruption), and score cyber loss scenarios based on likelihood and impact.
- Quantify the level of cyber risk exposure in relation to a data breach and/or system interruption to understand how much investment is required, in terms of risk mitigation and management, to optimise risk transfer solutions.
- Evaluate the current cyber security maturity of the organisation to identify strengths and areas for improvement across the organisation; do this against a leading cyber security framework. For example, benchmarking maturity across the five NIST Cyber Security Framework areas: Identify, Protect, Detect, Respond and Recover, can help organisations develop a balanced cyber mitigation and management strategy.
- Recognise that this process is an ongoing activity that needs to be refreshed at least annually. Some exercises such as compliance, low-level risk management processes, and technical evaluations at a project and operational level, need to be refreshed on an ongoing basis.
- Assess your risk appetite. With new collaborations, Joint Ventures, and increased M&A activity to meet the COVID challenge, organisations should very carefully evaluate the technical debt or cyber risk that they take on during product or organisational M&A activity, to avoid unanticipated risk exposure. Companies can do this by developing a cyber due diligence process alongside other areas of due diligence — such as financial — during a transaction.
A strategic overview of the organisation's cyber security position goes beyond IT teams. Taking a complete view of people, processes, and technology, and developing a culture of risk awareness and ownership from the top down across the organisation is essential.
Implementing a complete product life-cycle approach, which considers security during the design, development, and operational phases of the product, will support investment priorities for cyber across the entire product life cycle in an effort to improve overall security.