Life sciences companies are increasingly relying on technology to innovate and shape their working methods. From the mass storage of data and medical records, to the use of wearable and mobile technology to record, analyse and even administer medicine, technology has become intrinsically connected with companies' R&D and growth. However, the adoption of new technology can be a double edged sword; offering near unlimited possibilities, whilst bringing with it a raft of cyber security concerns and potential insurance liabilities. This leaves companies vulnerable to both reputational and financial damage. It has been estimated that the out-of-pocket costs for developing a new prescription drug average US$1.4 billion, so life sciences companies are rightly concerned about how to safeguard their digital assets.
Life sciences companies are required to maintain stringent risk management and internal control mechanisms. As well as being subject to this sector specific regulation, there are also additional requirements for companies whose shares are traded on relevant stock exchanges. Under English laws covering directors' duties, failure to comply with objective standards can lead to potential civil and criminal liability. Given these potential liabilities, companies should take steps to review their Directors' and Officers' liability (D&O) insurance policies to ensure adequate protection is in place for such eventualities.
Recent legislative developments, like the EU-wide General Data Protection Regulation (GDPR) which comes into effect across the EU in May 2018, will increase the regulatory burden and potential exposure. Companies will be required to conduct privacy impact assessments, notify when breaches occur and consult with the growing number of data protection authorities. Breaches of the GDPR could lead to significant fines: the higher of 4% of annual global turnover and €20million – the sort of level only previously seen in antitrust and cartel cases. This is coupled with the EU Cybersecurity Directive - which Member States must implement by 9 May 2018 - contributing to an already far reaching regulatory field. Whilst the Directive may not apply to life sciences companies as they may not be 'operators of essential services', this could be regarded as an EU default minimum cybersecurity standard.
The position is made all the more complex by Brexit and the resulting uncertainty. The UK will still be in the EU at the time the new data protection and cyber security provisions come into force, and the Great Repeal Bill will ensure that all existing EU laws are incorporated into UK law on the day of exit. It is not yet clear what will happen post-Brexit, although one could assume that the Government will not wish the UK regime to diverge from the EU one. In part, at least, this is because the UK will need to be classified as a 'safe third country' by the European Commission to allow personal data to be transmitted from the EU into the UK.
In an industry where patient information and data are highly confidential, worth large amounts and where the material crosses national borders, life sciences companies are increasingly facing the threat of defending contractual and other claims from third parties for data security breaches, as well the prospect of regulatory fines. In the US, the proliferation of class actions brings with it its own financial pressures.
Aside from the dangers of data loss, there is the danger that computers and systems being used to control actual healthcare devices, be they pacemakers, wearable technology or life support devices, are vulnerable to hacking. As such, a cyber security attack could potentially have a fatal outcome. Many commentators have said that there is a legislative gap between the potential risks inherent in cyber managed systems and what current legislation requires in terms of data protection. It is an area as yet untested by litigation, butit has been suggested that it is just a matter of time before a claim arises.
Given the increased risks life science companies face in the form of cyber attacks and the myriad of liabilities that may flow from any breach, they should review their existing insurance arrangements to ensure that they provide adequate cover against cyber security risk. For example, they could consider tailored extensions to public and product liability, or to D&O liability insurance, or they could look at specialist standalone cover. This is particularly necessary when it is considered that these companies will be using, investing in, and relying on cyber. Ensuring responsive insurance is in place may go a long way towards softening the wide-ranging ramifications of an attack.