The pharmaceutical industry is known for merger and acquisitions activity. While great for business, this activity can also increase security risks. Fortunately, there are strategies and security solutions to help minimize and mitigate the threats that may come with pharmaceutical mergers and acquisitions to keep sensitive patient information, OT/IT technology, and business processes secure.
According to Simon Roach, the former CIO of Global Pharmaceuticals for GSK who now serves as a security consultant, one characteristic of the pharmaceutical industry that complicates the information security posture is heterogeneity. This refers to IT complexity due to mergers, acquisitions, and divestments. In these scenarios, legacy IT assets often remain operationally functional, but have surpassed their cybersecurity lifecycle and are difficult, and often viewed as impossible to secure against rapidly evolving threats.
“Think about the way the pharma companies have grown up over many years,” Roach says. “Some of them are hundreds of years old and they’ve been born out of lots of acquisitions, mergers, divestments of different assets, etc. So, you end up with quite a diverse set of technologies that are harnessed by that company to do business.” The mix of old and new technologies along with different cybersecurity strategies are a concern.
The IT complexity that comes with a merger or acquisition within the pharmaceutical industry poses a cybersecurity risk. That risk carries over to operational technology (OT) as the two distinct networks within these systems digitally connect. In fact, pharmaceutical and biotech companies suffer more breaches than those in any other industry, with 53% of them resulting from malicious activity. Manufacturing cybersecurity is also at risk when multiple pharmaceutical plants are operating different systems in varied locations globally.
Operational technology environments are capitalizing on the principles of digital transformation. As more and more industrial controls are being digitized, more and more data is being collected. This valuable intelligence can support efficient decision-making. In the majority of instances, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that have historically been air-gapped are now being connected to corporate networks—and therefore to the internet. As the air gap is eliminated, these systems are exposed to an increasingly advanced threat landscape and are targets for hackers. Cyberthreats can exist before a merger or acquisition but are only exacerbated when new variables are added to the equation.
When it comes to cybersecurity, there are a number of imperatives facing the pharmaceutical industry. Of course, it all starts with protecting revenue and operations. Security breaches can affect the bottom line. Breaches can result in fines, decreased revenue and orders, production stoppages, and a tarnished reputation. All of this adds up to billions of dollars in liabilities. So, what can be done to minimize and mitigate the cybersecurity risks associated with these mergers and acquisitions?
As pharmaceutical companies grow larger and more complex, they must unify their cybersecurity strategy and take into consideration the needs of both IT and OT. Many companies have aging and separate IT/OT management that present operational and security challenges, posing a risk to everything from R&D to manufacturing and sales. In addition, failure to adequately protect against cyber threats and demonstrate compliance with multiple regulations and standards can result in lost intellectual property as well as hefty fines. End-to-end security integration across the entire cyber-physical landscape, especially for IT and OT infrastructure, enables greater transparency and visibility against impending threats as well as seamless upgrades as regulations evolve.
“The adoption of M&A governance among pharmaceutical organizations is key to reducing cyber risk, realization of synergies, operational efficiencies, and strategic growth,” adds Troy Ament, Fortinet Field CISO Healthcare and Life Science.
Last of the imperatives is the debate over incremental change vs. a rip-and-replace strategy when acquiring new, or maintaining, legacy technology. The reality is that pharmaceutical companies have no appetite for total replacement due to an intolerance for disruption in operations, supply chains, and the business. This results in a mix of old and new technologies and all of the risks that come with the inconsistencies inherent in that type of structure.
Pharmaceutical companies must protect legacy technology as they incrementally upgrade to new, innovative solutions. Continuity and uninterrupted processes are an absolute requirement, with R&D fueling new products and the supply chain fueling production at a plant.
A challenge with the increase in the number of mergers and acquisitions within the pharmaceutical industry is that acquisition targets inconsistently possess adequate security infrastructure. In the merger and acquisition process there is a need to elevate consideration of cybersecurity best practices when connecting to an already complex web of affiliated and unaffiliated research sites, subdivisions, and distribution partners.
Pharmaceutical entities, production facilities, and branch offices routinely access and transfer intellectual property, electronic protected health information (ePHI), and other sensitive operational data. Owing to their disconnected systems, pharmaceutical enterprises struggle with challenges of visibility, data control, access auditing, and compliance reporting throughout their ecosystems. In addition, when two or more distinct systems are digitally connected the resulting cybersecurity risk are linked, compounding the challenge of protecting against an expanded perimeter and threat attack surface. Of course with these challenges comes opportunities for improvement and committing to the goal of cyber resilience. Pharmaceutical organizations must learn to adopt a practicable approach to augmenting security, bringing consistent and complete risk mitigation, total assurance, and the ability to thrive as they grow, merge, divest, and acquire new businesses.
“Lack of visibility or understanding of assets within an unknown network presents a common challenge in securing it. The second challenge is how to quickly implement a minimal form of protection to block bad actors as quickly as possible. A typical journey involves assessment, evaluation, procurement, implementation, and monitoring. We choose instead to focus on a journey’s outcome rather than typical repetitive assessment, technology, and services procedures, compressing the average timeframe,” comments Zhanwei Chan, Global Head of OT/IoT Practice, NTT Ltd.
Mergers and acquisitions are a regular occurrence in the pharmaceutical industry and this poses a unique challenge from a cybersecurity perspective. If a company's valuable data is compromised or improperly protected, that could threaten a merger or acquisition before it becomes final. When companies are integrated, their cybersecurity strategies and solutions are not always aligned and the transition could bring swift changes to security or increase the risk of exposure to threats.
Even when pharmaceutical companies are not involved in a merger or acquisition, they face cybersecurity challenges ranging from network complexity to antiquated OT systems or compliance. The good news is there are cybersecurity systems designed to help keep complex pharmaceutical businesses cyber secure. An important step in solving complex security issues is to take a cohesive architectural approach to cybersecurity. This will provide the visibility, automation, and fast response to threats required to thwart attacks and easily demonstrate compliance.
1 Fortinet, Addressing Pharma’s Top Cybersecurity Challenges
2 Forbes, “How The Pharmaceutical Industry Can Secure Networks To Avoid Cyberattacks” March 2021