Third parties, data protection and your life sciences company

Why contracts, culture and careful planning are key

Sep 13, 2021
Transaction advisory Life sciences Biopharma
Risk consulting Cybersecurity consulting Medtech Cyber due diligence

Third-party organizations can be a significant contributor to the moving force of a life sciences company. From biopharma to medtech, third parties provide life sciences businesses mission critical support, diagnostic specialization and clinical resources, whether it’s via assistance with trials or by manufacturing and distributing pharma products or medical devices and components. However, while the benefits can be a game changer for a growing life sciences business, there are growing challenges and risks in working with and relying on third parties, particularly related to ensuring cybersecurity.

The growing cyberthreat

According to the RSM US Middle Market Business Index Cybersecurity Report, 28% of the executive respondents indicated that their companies experienced a data breach in the last year, up from 18% in 2020. In addition, 64% believe that an attempt to illegally access their company’s data or systems is likely in 2021. Further, the NetDiligence® Cyber Claims Study indicated third parties accounted for 8% of the security and privacy claim breaches in the businesses they served. Some studies have indicated even higher percentages of cyberattacks and resulting claims.

Why life sciences companies?

Certainly, cyberthreats are an escalating concern for companies and the third parties they work with. Life sciences businesses, in particular, are enticing to cybercriminals given their vast data collections of health, diagnostic and scientific information. By some estimates, health data is 50 times more valuable on the dark web given its usefulness in identity theft. Likewise, stolen health information frequently goes undetected longer than financial information, giving bad actors more time and opportunity to use the stolen data for nefarious ways.

Further, third parties can make an organization even more vulnerable to security breaches if their own cyberthreat policies and cloud storage procedures are outdated and substandard. Cybercriminals know this and look for security weaknesses within a third party to attack and steal their contracted companies’ data. While a breach may technically be the fault of the third party, it’s important to note that if a cyberattack occurs with the provider, the outcome and responsibility still falls with the life sciences business who has contracted the third party. It’s, therefore, essential that sound security measures inside the company and its third parties are in place to secure and protect valuable information at every front.

Key considerations

What can life sciences businesses do to ensure data protection, especially with their third parties? The following key areas should be considered.

  • Manage your contracts: Effective third-party management requires an understanding of and requirement for thorough controls and a documented agreement of roles and responsibilities outlined in your provider contract, and that includes how and where data is handled, secured and stored. Contract compliance management is essential, as failure to properly oversee these agreements could mean costly contractual missteps and exposures. To uncover these risk areas, particularly as it relates to data protection, a comprehensive contract compliance audit should be completed on existing contracts to assess whether your third parties are meeting their agreement obligations. In addition, a periodic right to audit should be maintained throughout the relationship to assess security measures and align with the changing business.
  • Assess annually: Similar to establishing a periodic contract compliance audit, it’s also key to have a regular systems and operations assessment in place with your third parties. Businesses change, and processes and relationships with providers must also adjust as conditions evolve. Evaluate the cadence of roles, responsibilities and outcomes. This should be done at least every 12 months, and more frequently as conditions dictate.
  • Proactively address regulations: When working with third parties, life sciences companies should be especially mindful of regulatory compliance, particularly as it relates to data security. The European Union’s General Data Protection Regulation (GDPR) is one such regulation that life sciences should address within their own organizations as well as the third parties they’re engaged with. The regulation requires all organizations that hold, transmit or process EU-resident data to comply with the law, regardless of whether companies or contracted third parties actually operate in the EU. GDPR raises the bar for protecting consumer information and requires specific tracking from collection to disposal. Moreover, U.S. states are following suit related to data protection with their own regulations like the California Consumer Privacy Act. As of June 2021, other states have already followed suit, including Colorado, Virginia, Illinois, Massachusetts, New Jersey, North Carolina, Pennsylvania, Rhode Island, Virginia and Utah. To address these and other data security concerns, companies should periodically audit current security and privacy strategies related to the company and contracted third parties, amend controls and planning as needed, align governance appropriately and have an incident response plan in place.
  • Get smart about your cyber insurance: The RSM cybersecurity survey found that 65% of middle market businesses currently utilize a cyber insurance policy to protect their company against internet-based risks, up from 57% in last year’s study. More of the larger middle market companies (71%) invest in policies than smaller organizations (59%), but usage rose in both segments from last year. RSM found that 80% of the companies that carry policies are familiar with their coverage levels, while 20% are somewhat familiar or not at all familiar. Smaller middle market companies appear most at risk, as only 49% of companies are familiar with their coverage, however that is a  15 percentage point increase from just last year. It’s key for companies to fully understand coverage levels (for instance, does the policy cover ransomware attacks?) to know that when an incident occurs, there are no surprises in what’s protected and what’s not.
  • Embrace a culture of cybersecurity: Life sciences companies frequently concentrate their passions on the science. That is core to who they are. With the additional rigors of research, trials, business development, profitability and more, there might be little room for also focusing on cybersecurity; however, in this age of “not if a breach occurs, but when,” it’s critical that companies embrace data security as a key tenet of their organization. Life sciences companies can integrate cybersecurity awareness through periodic employee training, awareness-building via fake phishing emails to uncover vulnerabilities, and other diagnostics and tests. The best companies are vigilant in their efforts to make sure every level of the organization, including those relationships within third parties, understand the threats and ways to combat them.

RSM contributors

  • Director, Health Care Senior Analyst
    Matt Wolf
    Health Care Senior Analyst
  • Joseph Benfatti
    Risk Consulting Privacy Practice Leader