Posted on Jul 22, 2020
The supply chain in the pharmaceutical industry has become increasingly complex over the past several years, and with this complexity comes a growing amount of risk.
There are logistical issues to consider: a growing number of exchange points between production and consumers, shipments that must be refrigerated, new modes of transportation, and delays resulting from weather and traffic.
There are also issues related to compliance. The pharmaceutical industry is tightly regulated. If a company fails to comply with industry supply regulations, like Good Distribution Practice (GDP), the organization may face Corrective Action, Preventative Action (CAPA), which can cost between $10 million and $1 billion, depending on the severity of an infraction.
Lastly, the cost pressures of a globalized pharmaceutical market have forced pharma companies to outsource, relying more on their vendors and suppliers. This exposes them to significant supply-chain risks, including the possibility of third-party cyber risk.
Because of this challenging risk environment, many pharma companies may feel they’re poorly prepared to understand, manage and mitigate their risk, especially when it comes to their suppliers.
When it comes to cybercrime, the pharma industry is one of the most targeted by cybercriminals. According to research, pharmaceutical companies are most often targeted because of their intellectual property: drugs and new compounds, which are profitable on dark web markets.
Data breaches can be devastating for a pharmaceutical company. According to the Ponemon Institute’s Cost of a Data Breach report, a data breach can cost pharmaceutical companies an average of $5.20 million. If a third party, like a supplier causes a data breach, however, costs tend to rise — Ponemon finds that breaches caused by third parties often cost more than $370,000 more. Unfortunately, risk in pharma goes beyond the financial impact of a data breach. When drug production is halted, patients’ lives and well-being are at stake.
Although the pharmaceutical industry faces several unique challenges when it comes to risk, such as the process it must go through to bring a drug to market, or develop a new product, the risks pharma faces when it comes to cyber attacks and third-party data breaches are not unique. With that in mind, there are steps the pharmaceutical industry can take to minimize its cyber risk when it comes to the supply chain.
Listing your organization’s third parties can be daunting for any organization. Pharma companies, with their complex outsourced supply chain, may find this step extremely challenging. However, it is crucial to know who all your third parties are — from those who handle core business functions to smaller vendors who may only work with one or two departments.
Cyber risk can come from any vendor, no matter their size and function, and once you know who your suppliers are, your organization can begin classifying the vendors according to the risk they pose and the systems, networks, and data they are able to access.
Once your organization has inventoried its suppliers, you can then identify and qualify your cyber risks. McKinsey suggests that pharmaceutical companies follow the example of banks, another tightly regulated industry which has already established processes for identifying new risks.
McKinsey recommends this four-step process from the financial sector:
Not all cyber risks will bring production to a halt and not all suppliers pose the same risks to your data. Organizations should perform a risk analysis for each third party using the following formula (or whichever formula you use for your organization’s risk management):
Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
Once you analyze the risk a supplier poses to your organization, you set a risk rating of high, medium, or low. The third parties who handle the most critical operations or the most sensitive data will likely be rated medium or high. Suppliers who do not interact with critical systems, networks, and data will be rated “low risk.”
Setting the risk rating allows you to prioritize your vendor risk monitoring strategies.
Once you’ve determined your organization’s appetite for risk, it’s time to set up a system of controls for your vendors, as well as a system of oversight. The 3LOD risk management model suggests that organizations set up their risk management, oversight and governance along three lines:
Continuous monitoring is also important when it comes to third party risk. Suppliers may fall out of compliance, and it’s critical that you know when that happens.
To reduce the amount of administrative time and effort spent managing third party relationships, consider a tool that automates parts of the supply chain risk management process.
SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your suppliers’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying third party responses almost immediately. Our easy-to-read Security Ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your third party risk management program.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.