background imagebackground image

Safeguarding the life science sector against cyber risk

    The Knowledge
    7th December 2023

    As the COVID-19 pandemic made clear, the life sciences sector is a key pillar of modern economies. Its breakthroughs can demonstrate a nation’s strength and attract investment. In the wake of the pandemic in the UK, the government developed a Life Sciences Vision that set out an ambition to become a “science superpower” by 2030.[1] In mid-2023, it unveiled a £650 million package to support the UK’s life sciences sector and spur further development.

    But as the sector becomes more valuable, it also becomes a more appealing target for crime. Life sciences companies, including medical technology, digital health and pharmaceutical firms, possess plans for potentially life-changing drugs and medical devices that could generate billions of pounds in revenue. Cyber criminals are eager to seize a piece of that. In 2023, the average cost of a breach in the pharmaceutical sector is £3.9 million. In the healthcare sector, it’s £8.8 million.[2]

    While life sciences companies experience some of the costliest data breaches of any sector, the real threat of cyber-attacks against these companies is the loss of intellectual property (IP).[3] IP can represent up to 80% of a life sciences company’s value, so the theft of this asset can devastate an organisation, causing it to lose exclusive control over proprietary and confidential information, as well as its competitive advantage in the marketplace. Breaches of medical records can be expensive to remediate and may lead to regulatory fines, legal expenses, reputational damage and the loss of customer trust.

    Protecting intellectual property

    Unfortunately, life sciences companies can be vulnerable targets for these crimes. Deloitte research found that many organisations in the sector haven’t invested in cyber risk programmes that keep pace with their evolving development. Further, if cyber-related regulations haven’t forced a company to invest in stronger cybersecurity, it may lack the tools that empower it to detect and respond to attacks.[4]

    There are risks beyond the walls of a life sciences company too. An organisation’s IP is often shared with others in ways that give cyber criminals an opportunity to capitalise on it. Companies in the sector must often exchange confidential information with partners across borders and via the cloud. While this may expedite research and development, it can also expose IP to theft.

    The many links in a company’s supply chain further increase cyber vulnerability. If just one supplier lacks effective security controls, cyber criminals can infiltrate organisations along the chain. These security weaknesses represent low-hanging fruit for cyber criminals – an easier target is a more attractive one.

    Plan for the inevitable

    The odds of a cyber-attack are high and potential losses great, but insurers and brokers are in an important position to help life sciences clients understand their risks and proactively protect their interests.

    It’s important to advise clients to take these steps:

    • Inventory network assets and identify the most critical. This process should be ongoing as assets evolve.
    • Isolate sensitive information from the data and tools employees use every day and store backup data offline.
    • Restrict access to the organisation’s most critical data.
    • Use protections such as multi-factor authentication and an endpoint detection and response solution.
    • Create a security-first culture. Suppliers, vendors and cloud providers should maintain, at a minimum, the same security standards as the business.
    • Actively scan the network for unauthorised activities, including systems that remote workers download to their devices that could compromise security.
    • Continually update patchwork management strategies.
    • Use a well-defined, customised framework of standards and practices to reduce cyber vulnerability and ensure ongoing compliance. Ensure employees understand their roles and have trained backups.
    • Build medical devices with cybersecurity in mind from the earliest stages of design through production.
    • Train employees to recognise social engineering tactics, such as phishing emails and malicious links.

    Cyber insurance as a safety net

    Even the most rigorous security measures can’t prevent cybercrime. But cyber insurance can soften the impact of an attack by helping to cover the costs and legal claims resulting from a breach. Importantly, it also provide expert support to organisations in the wake of a cyber-attack, when anxiety can run high and it’s critical to be able to act quickly and effectively to contain damage.

    Travelers’ Technology and Medical Technology Cyber insurance offers broad, flexible coverage options to help protect clients in the life sciences sector from damages associated with an incident, including cyber extortion, data restoration, breach notification, business interruption, and reputational harm.[5] Policyholders can also access services to mitigate the effects of cyber risk before and during an incident – so the organisation can make itself a more difficult and less appealing target for theft. If a breach does occur, they have the benefit of expert support that can help set them back on track as quickly as possible.

    The information provided in this document is for general information purposes only. It does not constitute legal or professional advice nor a recommendation to any individual or business of any product or service. Insurance coverage is governed by the actual terms and conditions of insurance as set out in the policy documentation and not by any of the information in this document.