In 1999, the world was abuzz about Y2K and the potential for technological and economic collapse. As it turned out, this laser focus on solving for Y2K was the accelerant for a new digital era of exponential growth and globalization 3.0. The Life Sciences industry was leading the way in this transformation with a decade plus of major change highlighted by monumental acquisitions, revolutionary divestitures and rapid-paced supply chain evolution. This happened despite geopolitical events – including 9/11 and the 2007 global economic meltdown – and regulatory headwinds – including from the Sarbanes-Oxley Act om the U.S. and the European Medicines Agency in the EU.
This wave of globalization influenced the mindset of corporate leaders and heads of states across the globe as they grappled with sovereign identification and economic growth and empowerment, particularly with the middle class. The Golden Arches theory of conflict prevention served as a theory on economics and conflict for many global enterprises, including pharma and medical technology, which measured geopolitical risks through this lens.
Fast forward to Q1 2022. Given recent geopolitical events – including the Russia-Ukraine crisis and trade wars with China – and new regulations – including the General Data Protection Regulation (GDPR) and the Food and Drug Administration Safety and Innovation Act (FDASIA), business executives are considering whether some of the underlying principles of the Golden Arches theory are changing. If so, Life Sciences companies would be some of the most highly impacted entities given their broad supply chain and manufacturing operations.
Based on conversations with recognized experts and corporate and governmental leaders, we recognize a distinct paradigm shift. Of course, enterprise planning continues for business prosperity, but, at the same time, businesses must prepare for major transformation, if not revolution, in global business operations.
The change impacts three primary areas associated with current, developing and geopolitical events and the shifting dynamics of industry regulations. In this Part 1 article, we will look at the cybersecurity threats facing Life Sciences companies and requirements needed to combat them. The second article in the series will focus on potential for supply chain interruption and the countermeasures that leading organization are using to build their strategies. We will close the series with a look into the potential for disruption of technological infrastructure and the associated impact on enterprises.
Part 1 – Cybersecurity Threats
Awareness of cybersecurity has certainly been a top agenda item for corporate boards for several years now. And it comes as no surprise that chief information security officers (CISOs) from leading global organizations are ramping up efforts in response to the recent Russia-Ukraine conflict. While the military campaign of soldiers and munitions wages on in easternmost Europe, the equally dangerous threat of cyber-attacks, particularly state-sponsored attacks, looms large in the background for all developed nations and global enterprises. Currently, nation-sponsored cyber-attacks account for roughly 13% of all attacks – a number that continues to grow.
"The cybersecurity threat from Russia will likely get worse before it gets better.”
Doug Saylors, ISG Co-Leader Cybersecurity
Wall Street Journal / 9-March 2022
To date, most attacks have not focused specifically on the Life Sciences industry, but that can and will likely change. Cyber warfare will create collateral damage in uninvolved countries and global enterprises far from the physical battlefield. This fact, in many regards, is reminiscent of the Cold War era mentality of “spy vs. spy.”
Three Types of Cybersecurity Threat for Life Sciences
Assaults are likely to have one or more of three potential objectives:
- Corporate ransom. It is estimated that approximately two-thirds of ransom attacks result in the victim paying some sort of ransom. This has been debilitating to the energy sector. Life Sciences enterprises need to be keenly aware that they too are in the crosshairs of threat actors, particularly the more aggressive Hive ransomware. A cyber lockdown of drug manufacturing facilities or medical device commercial operations could irrevocably cripple competitiveness of an organization.
- Dissemination of personally identifiable information into a public domain. The attack surface for this type of attack has expanded recently by the industry’s efforts to improve the patient experience with wearable medical technology devices and personalized, smart medication. This type of attack can leave a Life Sciences enterprise reputationally injured and potentially subject to financial loss associated with damage to the corporate brand, regulatory fines, restitution and legal defense fees.
- Debilitation of technological infrastructure, both on premises and in the cloud. This could be the most clandestine attack as it not only leaves behind carnage within an organization’s technical architecture, but it also can leave behind a dormant undetected trojan to scout for future gaps and weaknesses.
Cyberattacks are extraordinarily punishing for an organization. Statistics indicate an average cost of nearly $4 million per incident and approximately 280 days to resolve. The Russia-Ukraine conflict has heightened cybersecurity awareness, but this is in addition to a sharp rise in cyber-attacks resulting from the Covid-19 pandemic. Covid became a gold mine for attackers. For decades prior, perimeter protections were willingly bypassed to “keep revenue flowing.” Companies also now have many more remote workers than they used to, and this represents a significant vulnerability from the standpoint of both technology and behavior.
Supply Chain Vulnerabilities
Of major concern for Life Sciences companies is the possibility of a supply chain breach. These are typically multi-faceted, diverse, global and highly complex. Securing the supply chain from a breach in the digital era requires a rigorous and wholistic strategy that includes hardware, software (including authors), networks and business processes. Resiliency and recovery must continually evolve to match an organization’s risk tolerance throughout digital transformation.
Our research and analysis indicate that billions of dollars are being spent on new and innovative protection technologies, but, unfortunately, the money is being spent without comprehensive knowledge of which assets are most critical to enterprise stability. This can be a fatal error. The reality is not every asset can be protected from every attack. Prioritization and stratification are essential. It’s also not enough for an enterprise to focus its attention only on the technology fortress.
Agile Risk-based Cybersecurity Strategy
Leading organizations are intentional about developing and updating an agile risk-based strategy that addresses their IT architecture as well as the common weak link of behavioral compliance. Solutions that can help address risks associated with behaviors from internal stakeholders include cognitive automation, code enforcement and training-as-a-service (sometimes gamification). Additionally, companies need to develop or revise their incident response playbook to serve as a go-forward plan in the case of a major cyberattack or infiltration. This should specify plans for a highly collaborative team that includes cross-functional IT leaders, functional enterprise leaders who oversee business processes, internal and external risk/legal leaders, investor relation or corporate communication stakeholders and third-party experts.
For Life Sciences enterprises, cybersecurity is likely at the top of your board’s agenda. Executing on a sound strategy will quite possibly be the differentiation that separates leaders from the rest of the field. In Life Sciences 2022-2023: Part 2 Supply Chain Interruption, we will examine the external forces impacting the Life Sciences supply chain and potential mitigations.
ISG helps Life Sciences firms make the most of their cybersecurity investments, find the right partners to implement solutions and accelerate growth. Contact us to find out how we can help you.
About the author
Michael Fullwood is an ISG Partner with extensive financial planning and analysis experience. His areas of expertise include sourcing assessment and RFP management, contract negotiations and transitions. He has guided major multinational companies in the Americas and Europe through multi-functional outsourcing projects and shared services transformation. Michael has more than 20 years of experience advising clients on strategy and implementation and is an accomplished leader who articulates a compelling point of view for ROI optimization and speed to value. His work enables companies to optimize support services operations, contract for and implement digital/automation, and formalize processes, metrics, governance and reporting.