Cyber security: Pharmaceutical companies on alert

As companies continue to increase their global footprint, they also increase the footprint of the data they hold, and the locations in which they hold it. As business practices become increasingly digital, companies take on an increased risk of cyber-attack which can cause both disruption to regular business, as well as risk of regulatory and other legal action. This is especially the case for pharmaceutical companies who hold large amounts of highly valuable data in the form of research and analysis, as well as sensitive personal health data of patients.

The value of pharmaceutical data to cyber criminals is apparent with several major pharmaceutical companies including Sun Pharma, Evotec and Novartis having their operations disrupted by cyber-attacks. As recently as June 2023, Japanese pharmaceutical company Eisai fell victim to a ransomware attack, in which some of its servers were encrypted forcing the company to take systems offline both in and outside of Japan.

The number of cyber-attacks globally continues to trend upwards. At the same time, regulators have become increasingly active in the cyber security space. In this article, we highlight some of the key risks we are seeing for pharmaceutical companies as well as key messages we are hearing from cyber regulators.

Cyber threats to Companies

Cyber-attacks can take many forms including:

• Ransomware attacks in which hackers infiltrate a company's network and encrypt or exfiltrate data and then demand a ransom to restore the company's access to that data.
• Phishing attacks in which attackers imitate legitimate people or institutions to obtain confidential information from employees. Phishing attacks are often precursors to more serious attacks such as ransomware or malware.
• Malware attacks where confidential information is stolen and used for illegitimate purposes such as "outsider trading" and hacktivism.
• Distributed Denial of Service where an attacker floods a server with internet traffic to prevent users from accessing connected online services and site. These attacks can cause business operations to cease or be delayed for hours to days.

It is in this landscape that companies need to understand both their regulatory and contractual obligations when it comes to the safekeeping of data as well as operation of services in the event of a cyber-attack.

Global cyber regulatory Landscape

There is an increasing appetite amongst regulators globally to investigate and prosecute companies for failure to prevent data breaches, with regulators in the US and Australia announcing that they intend to target board members personally for failure to implement adequate cyber security measures within their organisations in cases of serious cyber-security incidents. The UK and EU have also updated their cybersecurity legal frameworks in the last year, broadening the scope of cybersecurity obligations held by companies.

As soon as a data breach is detected, companies must assess whether they are required to disclose the data breach in any jurisdictions in which they operate. While disclosure may sometimes be daunting for companies, a failure to report can lead to heavy fines.

Cybersecurity incidents can also have other potentially significant legal and regulatory effects for pharmaceutical companies including loss of trust and competitive advantage, disruption to R&D activities as well as broader reputational damage.

Cyber legal risks

Some of key legal risks for pharmaceutical companies include:

1. Regulatory risk: Companies must comply with any notification requirements in jurisdictions they operate. This can include obligations owed to information security regulators as well as their industry regulators and the timelines for notification in some jurisdictions can be extremely short.
2. Class action risk: Where customer data is lost in a breach, class actions remain one of the biggest risks companies face. Pharmaceutical companies who hold sensitive health data should be particularly cognisant of this risk. Class action risk varies between jurisdictions. The UK Supreme Court recently published a decision arguably making it more difficult proving damages in data breach class actions. However, class actions remain a serious concern in many major markets including the US, EU, and the UK.
3. Commercial disputes: Companies may face legal action taken by business partners, customers or patients where commercially sensitive data, for example joint research and development data or clinical data, is lost in a data breach, or where business is disrupted, and contractual obligations cannot be met due to a cyber incident. This risk is heightened given pharmaceutical companies are more likely than most other businesses to hold highly sensitive personal data.

Mitigating Legal Risk

Some of the measures for companies to consider when mitigating their legal risk related to cyber-security include:

1. Review internal policies, procedures, and counter measures: Having adequate safeguards as a first step helps mitigate the likelihood and impact of cyber-attacks. Additionally, in the event of a successful attack, having proper policies and procedures in place may be useful in responding to regulatory action and commercial claims.
2. Review cyber insurance policies: Companies should be familiar with the scope of any cyber insurance they hold. Some insurance policies cover direct loss, others will cover ransom payments, and a smaller number also cover consequential losses including reputational damage. It is important to be aware of the scope of your insurance, and work with your insurers in the case of a cyber-attack.
3. Review existing contracts: Companies should review their key contracts as well as any contracts where there is a significant cyber risk (for example, contracts with digital service providers that store significant quantities of commercially sensitive data or personal information). Key considerations in this review are the allocation of liability for data breaches, liability caps for cyber-attacks, and the scope of any force majeure clauses.
4. Consider cyber risk when entering into new agreements: special cyber-security clauses should be carefully considered. Where companies are contracting with third-party digital suppliers or dealing with a large volume of data, adequate legal safeguards should be in place in the event of a cyber-attack resulting in a data breach or disruption to business.

Please reach out to any of the authors or you usual HSF contact if you would like to discuss how to protect your business against the legal risks arising from cyber attacks.