The life sciences sector is undergoing significant transformational change driven by the increasing adoption of digital technologies. From artificial intelligence automating routine tasks, to cloud platforms and the Internet of Things (IoT) supporting R&D, organisations have been able to re-route talent and facilitate more efficient analysis of data, aiding drug discovery efforts.
Accelerated by the COVID-19 pandemic, the pace of digitisation across every stage of the product lifecycle has seen pharma companies scaling the production and supply of products to health organisations, whilst at the same time, facing pressure to develop new therapeutics and vaccines for the virus.
In efforts to meet demand and bring products to market quickly. The adoption of new technologies, and the new ways of working this brings, could mean cyber risk assessments have been de-prioritised, potentially leaving organisations exposed.
Cyber security risks in life sciences
Cyber criminals target businesses within the life science sector to obtain both the significant personal data they hold and the intellectual property on new drugs or diagnostic tools.
COVID-19 has accelerated cyber-criminal activity in every sector. According to the latest UK Government figures eight out of ten UK businesses say cyber security is a high priority for senior management.1 Hardly surprising, as almost half have experienced a security breach or cyberattack in the past 12 months. But with just 11% of businesses thought to have a specific cyber insurance policy in place,2 millions could be at risk.
The consequences of a cyber-attack on life science operations are severe for both a firms’ financial and reputational status. Life sciences companies should take a holistic approach to reviewing each stage of the product life cycle. Identifying vulnerabilities will allow companies to devise a robust risk mitigation plan.
Steps to take to mitigate cyber-security risks
Define your cyber-threats and consider the consequences
Undertake an exercise to identify the underlying cause of a cyber-threat. This can range from your network and anti-virus tools to employee training. Then consider the consequences of a cyber-attack. For example, liability to stakeholders, property and asset damage, reputational damage, and business interruption. And score cyber-loss scenarios based on likelihood and impact.
Quantify the level of cyber risk exposure
How much would need to be invested to manage and mitigate the risk of a data breach or system interruption? Consider how you can best optimise available risk transfer solutions.
Identify your cyber-security strengths and weaknesses
Evaluate what you do well to mitigate cyber-risks and where you can improve. Do this against a leading cyber security framework. For example, benchmarking maturity across the five NIST Cyber Security Framework areas: Identify, Protect, Detect, Respond and Recover, can help you develop a balanced cyber mitigation and management strategy. Our cyber-security calculator may also be a good place to start.
Regularly review your cyber security initiatives
Once you’ve recognised that cyber-security is an ongoing activity that needs to be refreshed regularly, the more prepared you’ll be. Exercises such as compliance, low-level risk management processes, and technical evaluations at a project and operational level, should be refreshed more frequently.
Assess your risk appetite
If you’re considering new collaborations such as Joint Ventures or mergers and acquisitions, carefully evaluate the cyber-risk. Develop a cyber due diligence process alongside other areas of due diligence during a transaction to avoid unanticipated risk exposure.
Time for a fresh look at cyber risk?
A strategic overview of your cyber-security position goes beyond IT teams. When it comes to cyber, the risk can be mitigated, managed, and recovered from, but it cannot be eliminated. Taking a complete view of people, processes, and technology, and developing a culture of risk awareness and ownership from the top down across the organisation is essential.
Implementing a complete product life-cycle approach, which considers security during the design, development, and operational phases of the product, will support investment priorities for cyber across the entire product life cycle in an effort to improve overall security. And with attacks on the rise, it makes business sense to take a fresh look at cyber insurance.