Life Science Mergers and Acquisitions: Cyber Risks and Security

Author. Olivier Moll     Nov 2, 2020
Life Science Mergers and Acquisitions: Cyber Risks and Security

Acquiring small organisations sometimes means big risks

Life science is already among one of the most threatened industries when it comes to cybercrime. As an industry built upon technology, trade secrets, high revenues and extensive spend on research and development, these companies are a prime target for online criminals. These organisations are also one of the most active when it comes to mergers and acquisitions (M&A) - which introduces even more potential for disaster. How can large organisations protect themselves while still expanding?

Life Sciences and M&A - an entry for cybercrime

Mergers and acquisitions (M&A) are one of the most common ways for a large life science organisation to expand. By owning the intellectual property, products and customer-base of smaller organisations, larger enterprises can quickly grow. However, this introduces new risks that come with far-reaching consequences.

During a merger or acquisition, the involved companies are at their most vulnerable. Sensitive information and data from both sides are typically more exposed and more widely shared as company stakeholders are evaluating the decision. This situation creates an opportunity for cybercriminals to take advantage of the vulnerabilities that occur for both organisations, with the larger business usually being the target. These are the main reasons for increased risk:

  • Smaller companies have less secure IT environments
  • Smaller companies have a higher tolerance for risk
  • Smaller companies have smaller IT security teams
  • Smaller companies struggle to provide funds for cyber due diligence

To cybercriminals, M&A are a gateway to accessing their real target - the life science enterprise, which has caused numerous problems and challenges for the industry in general.

The Impact of cybercrime on organisations

Successful cybercriminal activities can have drastic effects on organisations whether they are the buyer or the seller in M&A. Let’s examine a few of the possible consequences in greater detail.

5%-20% Drop in company valuation

A recent survey from Intralinks concluded that half of the respondents believed M&A target companies could lose between 5 and 20 per cent of company value. The same poll indicated that almost a quarter of respondents expected M&A deals to fail following a successful cyber attack.

Conversely, a 2016 survey found that if a company could demonstrate its ability to protect critical information from cyber attacks, its perceived value would rise.

Loss of intellectual property

When a cyberattack occurs, the first targets are usually information, and some information is priceless. Leaks of intellectual property can lead to loss of competitive advantages, loss of revenue and irreversible financial and reputational damage. These can include patents, designs, copyrights, trademarks and trade secrets.

However, perhaps the most damaging aspect of IP loss lies with clinical trial data, which is often related to significant value drivers of M&A decisions. This data is critical to bringing a drug to market and involves massive investments and effort on behalf of an organisation. Deloitte estimates that this could cost anywhere between $295 - $363 million.

Operational disruption

With every disruption to the natural workflow of an organisation comes a cost associated with the productivity lost or better spent elsewhere. A Ponemon Institute study found that the average time to identify and contain a breach for life sciences organisations was 271 days with a cost to company coming in at an average of $4.38 million for the time and resources spent.

Regulatory compliance

In addition to criminal threats, the cost of failing to protect personal data introduces legal risks. The GDPR introduces a maximum penalty of 20 million euros or 4% of annual global turnover.

The GDPR also requires organisations to report the incident to the relevant Data Protection Authority within 72 hours, making the affair much more public than in the past. This could cause reputational damage as well as loss of customers and share value.

How life science organisations can protect themselves

The threats outlined above have the power to cripple a life science organisation should they lack adequate security measures to protect their data well. However, M&A is a vital element for fast-growing and expanding enterprises, and will remain as such for the foreseeable future. This begs the question, how can large life science organisations protect themselves when they cannot control the budget or security of smaller organisations?

The key is to gain complete control and access over data communications through a secure network.

The next-generation of networks for B2B WAN communications

The internet, as we know it, where cyber-attacks occur, sends data by automatically selecting the fastest route possible to its destination. All it takes for a cybercriminal to hijack that information is to present a fake path offering faster travel. This is a challenge that Next-Generation Internet solutions can solve.

Anapaya’s connectivity solutions offer life science organisations the ability to select which networks their sensitive medical data passes through. For example, if they wish to avoid specific geographical areas or choose to avoid poorly regulated locations and networks entirely. Anapaya’s solutions are also completely immune to routing attacks (BGP hijacking), with information only being sent through legitimate networks.

Pharmaceutical enterprises acquiring a smaller company can introduce them to the secure network and exchange data without any external threats, preventing data leaks, information hijacking and even limit the extent of DDoS attacks while staying GDPR compliant.

Acquire next-generation security

The life sciences industry is built upon the acquisition, implementation and protection of data. This data was entrusted to these organisations to run efficiently and improve the lives of people around the world. The Next-Generation Internet provides the framework for the next step towards protecting this industry, especially as companies grow through M&A.

It’s time to gain the confidence and surety you, your stakeholders and patients deserve. If you would like to gain control over your data, stay compliant with the GDPR and protect yourself from cybercrime, explore to find out more or contact us today and discover how the Next-Generation Internet can change the way you think about security.


Insider, Anapaya

Schedule a free
consultation and experience the power of SCION

Our specialists are ready to assist you in becoming SCION-enabled. Fill in the form on the right and elevate your network to the next level.