We’re in an era where cyber risk is a very real threat to all business sectors. So much so, that in 2013, the White House gave an executive order to elevate cyber risk management to a national matter, particularly for businesses operating within what’s deemed as “critical infrastructure” sectors.
And while the life science sector is vulnerable to many of the same types of cyber threats as others, oftentimes the exposure can be less significant than it is for other verticals.
So in this post, we’ll look at how to assess cyber exposure for a life science company in order to make more informed decisions about this risk area, and the consequent need (or lack thereof) for cyber coverage.
Common Cyber Exposures for Life Science Companies
Cyber risk is multilayered, so first, a reminder on two of the most common types of cyber exposures:
- Cyber events that compromise confidential third-party data; and
- Cyber events that cause a business and/or network interruption
As a variety of recent and very public events prove, cyber risk exists in many places within any business, and most cyber insurance policies today address many of these potential risks.
Cyber exposures can vary depending upon the type of life science company involved.
If you’re a pre-commercial drug company whose trials are conducted by a third party, for example, you usually don’t have access to or control confidential patient information. However, a diagnostics company providing analysis of patient samples will likely have confidential patient information.
While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates a breach of the confidential patient information in both instances above, the former would be the responsibility of the third party, while the latter would be the responsibility of the diagnostics company.
In addition to the HIPAA example above, many life science companies may hold data that’s protected by state or federal laws. The California Database Breach Act (SB 1386), for example, expanded its definition of compromised personal information in 2013 via SB 46 to include user names or email addresses in combination with passwords or security questions and answers that would give access to an online account.
It should also be noted that the increased networking of some medical devices creates new cyber risks for these devices, and a number of the health care organizations that use them. These risks can include both the compromise of confidential third-party data as well as a business interruption.
On top of all this, there are multiple ways in which a cyber event could happen – a hacking event, a technology failure, or theft of a device with confidential information on it.
Assessing Your Cyber Risk as a Life Sciences Company
So how does a life science company quantify its cyber risk? The first step in understanding cyber risk is analyzing potential exposure areas. Can you answer “yes” to any of the following questions?
- Does your business store or have access to confidential information? If so, is it employee data? Patient data? Customer data? Data from third-party organizations?
If you answered yes to the previous questions, the next step is understanding the specific type and scope of that data:
- Is the data considered “protected health information” per HIPAA? Credit card data? Other confidential information?
- Is the third party data primarily intellectual property or other data?
- In the literal sense, how many individual’s confidential records do you have access to or do you store?
Following that, we can begin to develop a specific exposure profile, and assess your financial exposure for a cyber event. This analysis informs the possible need to pursue cyber insurance coverage, including the types and amounts of coverage to consider.
In this financial analysis, we would quantify areas such as:
- The liability associated with the breach or disclosure of individual records (data) you manage based upon the type and amount of that data.
- The legal costs and expenses for managing the cyber event such as notification to affected individuals, associated credit monitoring/ identity theft services, and hiring a security forensics team.
- The costs associated with business interruption due to a network security failure.
In sum, every business today faces cyber risk because technology is at the core of what we do and how we operate. The good news is that cyber policies have come a long way in recent years to protect a multitude of these risks.
With the right exposure assessment and coverage analyses in place, life science companies can be well equipped to face most cyber threats today.