Innovation in Life Sciences brings Great Possibility, but also New Risks

The powerful current of new digital technology has caused disruptive and transformational changes in the Life Science industry. This is changing the future of cancer treatment, producing life-changing vaccines, and allowing for valuable research efforts that many of us couldn’t even imagine. Much of the innovation is being powered by data and in many cases more and more personalized data. Information has never been more valuable and life sciences are becoming one of the most vulnerable industries to data breaches.

What’s at risk?

The cyber risks that plague life sciences can be detrimental. Compromised biotech research goes beyond issues for shareholders— there could be information powerful enough to develop dangerous products and bioweapons. As criminals and other threat actors continue to uncover new ways of monetizing sensitive and confidential data, these data assets are in turn becoming more and more valuable. Cybersecurity threats in the life sciences industry can directly put people’s health, safety, and security at risk. Many pharma and biotech companies, especially high-profile consumer brands, are high-value targets for cyber attackers.

Among the major threats in pharma and biotech are these three top points of concern:

  • Clinical Trial Data: this includes sensitive patient data that is generated from clinical trials— this is at-risk information on both a patient level and a commercial level.
  • Confidential Information and Intellectual Property: regarding the manufacture of biologic drugs, etc.
  • Commercially Sensitive Information: drug pricing and promotion

Cyber Threats in Life Sciences

Information-related risks including fraud, cyber, and security risks are now the areas of greatest concern for pharma and biotech sectors, as well as the sophisticated nature of medical devices and their connectivity schemas. Commercially sensitive information in all of these areas is at an all-time high. Physical theft or loss of intellectual property (IP) is currently the most prevalent type of security incident in the life sciences sector. Incidents relating to theft and loss of IP are costly and wide-ranging, affecting employees, customers, the organization’s reputation and bottom line, and putting these important research and development projects at risk.

Interconnectivity of corporate data networks is necessary for life sciences; however, this has made intellectual property that much more vulnerable to cyber thieves who can monetize this valuable data. Categories of IP within the life sciences and medical device sectors include pharmaceutical and biotechnology patents, copyrighted data sets and reports, and trade secrets.
Life science organizations should also guard against the loss of personal information such as financial information, personal health information, and medical data.

6 steps for protecting your sensitive proprietary data and IP assets:

1. Identify and data map IP assets within digital and physical systems. This should be done both onsite and in the cloud and include those with access, such as remote vendors and clinical researchers.

2. Protect IP assets by implementing contractual, physical, and digital security systems.

3. Stay informed on the most recent cybersecurity risks. Implement basic security rules and create a security policy program that works to protect your IP assets.

4. Conduct risk assessments regularly to evaluate and simulate best practices around protecting the company and stakeholders in the event of a system and/or data breach.

5. Gain an understanding of the added risks that the Internet of Things and remote medical devices bring. Expect an exponential increase in cybersecurity risks and be prepared to mitigate.

6. Become educated on the legal framework surrounding protection of the confidentiality of IP assets. Additionally, understand the liability and regulatory frameworks impacting cybersecurity in life sciences and medical devices sectors.

Why now?

Cybersecurity should be one of the main focuses in almost any organization’s agenda, but especially for those in the life sciences sector. The massive growth rate and use of Big Data and the Internet of Things are just some of the examples of the need to be hyper-focused on privacy and data security. Systems have never been more complex and interconnected, as powerful and sophisticated discoveries continue in pharma, biotech, and medical devices. Life Science companies should use all tools available, including those offered by their insurers, in order to predict and prevent risk— not just once a year at the Cyber Insurance renewal, but throughout the year.

The Franchisee Factor

Cyber liability poses some unique questions for franchise organizations. Often after a data breach, any well-known retail brand name might lick their wounds, learn a lesson or two, release the specifics around the compromised data, and move on.

An interesting wrinkle arises when you factor the nature of the relationship between the franchisees and the central corporate entity. The franchisees, in most cases, are independent business owners who pay for the privilege of using the Corporate brand and supporting services. When a breach occurs, the affected owners could take a substantial hit to their wallets in the form of lost income, lost wages, spoiled food and other costs, and might look to the corporate “mothership” to make them whole again.

These sort of liability questions might lead the franchisees to take legal action that could significantly impact the potential financial payouts. This situation highlights the fact that franchise organizations have a unique set of challenges when it comes to cyber threats.

The Downside of Franchisor/Franchisee Interdependence

Franchisors and franchisees have an interesting interdependent relationship because while they are different companies, they share entangled domains of trust and risk. Each relies on the other to do its part to protect information and information systems, but many times the incentives aren’t aligned to position both for success. Some of the factors contributing to this poor alignment include
the following:
• The franchisee is often a small individual business that doesn’t have the resources to adequately defend itself when threats arise.
• The franchisor typically avoids getting involved in the specifics of how a franchisee operates because the franchisee is an independent and separate organization and the franchisor isn’t structured for this level of micro-management. After all, the entire model behind a franchise- based enterprise is to allow the business to grow organically by taking advantage of the capital and sweat equity of each franchisee.
• The franchisee operates a local network that depends on services provided by the franchisor. Sometimes the networks share technical access to each other, which can be exploited by attackers to move laterally across networks.
• In many situations, franchisees will share a third-party resource for IT management. Even though franchises are operated independently, shared administration creates a logical broad domain of trust that can be leveraged to launch attacks which hit all independent franchises simultaneously.

Naturally, attackers are aware of all this and it’s not uncommon for them to target individual franchise locations in order to pivot to others or gain access to the broader franchisor network. Alternatively, they may target third-party service providers in order to hit large numbers of franchises at scale. When this happens, complicated questions of liability arise.
• What obligations do individual stores have to protect themselves and each other from cyber threats?
• What role does the franchisor play?
• What’s the appropriate level of security when defending against sophisticated attackers and
what penalties should be assessed when those defenses aren’t up to the task?
• When defenses fail, who is responsible for reporting the breach to consumers?

Regulators are Taking a New Approach

Regulators are shifting the way they view the franchisor/franchisee organizational relationship, even though these are independent operations. When the consumer walks in the front door and swipes his credit card, he’s placing his trust in the logo on the outside of the building, not in the unseen entity whose name is on the local lease.

In 2015, Wyndham Hotels and Resorts settled a lawsuit launched by the U.S. Federal Trade Commission after a data breach at a single franchise hotel in Phoenix raised questions concerning Wyndham’s responsibility to protect consumer data across its 8,000 independent hotels around the globe. As part of its settlement, Wyndham agreed to launch a comprehensive information security program for franchisees, including conducting annual audits.

In 2018, an attack on Canada’s Tim Hortons added a new twist. Most often, when security breaches associated with a retail brand hit the news, it’s because of the impact on consumers. However, the Tim Hortons incident involves direct B2B liability with quantifiable financial damages. This case could set an important precedent and should put all franchisors on notice that keeping their franchisees at an arm’s length can lead them to ignore key risks they should be addressing — for instance, the fact that the franchise business model exposes a complex and extensive attack surface. It’s time for franchisors and franchisees to sit down together and ensure that all franchise defenses are up to the challenge of today’s most sophisticated, targeted threats. It’s also time the insurance industry step up with new products that address these new complicated risks for all parties.

Cyber

Smart Cyber Insurance and The Evolution of Cyber Risk

Massive retail data breaches, state-sponsored malware attacks, and the mishandling of sensitive information by the world’s largest companies have kept cyber risk in the headlines for the greater part of the last decade. Digitization has forced even smaller organizations to consider a wide variety of both internal and external threats to data security. The self-contained enterprise is a thing of the past, as more companies rely on third party vendors for services related to data storage, web hosting, IT security management, logistics and more. While these providers have allowed companies to operate more efficiently, cyber exposures have increased as a result. It’s no wonder cyber liability coverage has received much of the recent attention in the commercial insurance world.

Nearly 15 years ago, the earliest versions of stand-alone cyber policies would only cover third-party liability arising from the wrongful release of confidential information. Expenses related to first-party breach notification costs, digital forensics, data destruction, and contingent business interruption were not typically addressed. Not only was the coverage limited, but the underwriting process was arduous as insureds were forced to complete lengthy applications, supplemental questionnaires, and teleconferences to discuss the details of their IT security. Carriers offered few proactive risk management services, forcing insureds to incur additional expenses if they needed guidance on IT security best practices.

While insurers have made progress broadening the scope of cyber coverage, unfortunately many of the outdated methods of underwriting remain commonplace and carrier loss prevention advice is often inadequate.

At Corvus, we take a vastly different approach to underwriting and risk management. We believe in leveraging the best technology to assist our policyholders proactively address cyber risk. Rather than relying on prolonged applications with limited value, we use non-invasive web scans as part of the underwriting process and we provide our customers with meaningful insight into their IT security performance. At the time of quoting and throughout the policy period, we deliver a detailed analysis of the insured’s security operations with concise, risk-prioritized recommendations to resolve critical vulnerabilities. We red-flag IT supply chain issues and we offer meaningful business intelligence reports to insureds that are serious about confronting cyber risk head-on. Policyholders have access to a number of resources to help strengthen their IT security posture, including sample IT security policies, online privacy training, and a directory of pre and post breach experts. We call this process as Dynamic Loss Prevention™.

More precise underwriting means improved coverage and competitive premiums as well. Insureds with the strongest IT security controls are eligible for broad-form first and third party coverage, including extensions for blanket contingent business interruption triggered by cyber perils, system failure, reputational loss, social engineering, ransomware, and much more.

Our mission at Corvus is to arm commercial insurance brokers and our policyholders with the best available tools to tackle cyber risk from all angles. A modern and dynamic solution is required to address a constantly evolving risk landscape. This tech-enabled, holistic approach to risk management is what we call Smart Cyber Insurance™.