The supply chain in the pharmaceutical industry has become increasingly complex over the past several years, and with this complexity comes a growing amount of risk.
There are logistical issues to consider: a growing number of exchange points between production and consumers, shipments that must be refrigerated, new modes of transportation, and delays resulting from weather and traffic.
There are also issues related to compliance. The pharmaceutical industry is tightly regulated. If a company fails to comply with industry supply regulations, like Good Distribution Practice (GDP), the organization may face Corrective Action, Preventative Action (CAPA), which can cost between $10 million and $1 billion, depending on the severity of an infraction.
Lastly, the cost pressures of a globalized pharmaceutical market have forced pharma companies to outsource, relying more on their vendors and suppliers. This exposes them to significant supply-chain risks, including the possibility of third-party cyber risk.
Because of this challenging risk environment, many pharma companies may feel they’re poorly prepared to understand, manage and mitigate their risk, especially when it comes to their suppliers.
How can pharma mitigate third-party cyber risk?
When it comes to cybercrime, the pharma industry is one of the most targeted by cybercriminals. According to research, pharmaceutical companies are most often targeted because of their intellectual property: drugs and new compounds, which are profitable on dark web markets.
Data breaches can be devastating for a pharmaceutical company. According to the Ponemon Institute’s Cost of a Data Breach report, a data breach can cost pharmaceutical companies an average of $5.20 million. If a third party, like a supplier, causes a data breach, however, costs tend to rise — Ponemon finds that breaches caused by third parties often cost more than $370,000 more. Unfortunately, risk in pharma goes beyond the financial impact of a data breach. When drug production is halted, patients’ lives and well-being are at stake.
Although the pharmaceutical industry faces several unique challenges when it comes to risk, such as the process it must go through to bring a drug to market or develop a new product, the risks pharma faces when it comes to cyber attacks and third-party data breaches are not unique. With that in mind, there are steps the pharmaceutical industry can take to minimize its cyber risk when it comes to the supply chain.
Best practices for managing supply chain risk
1. Understand who your suppliers are
Listing your organization’s third parties can be daunting for any organization. Pharma companies, with their complex outsourced supply chain, may find this step extremely challenging. However, it is crucial to know who all your third parties are — from those who handle core business functions to smaller vendors who may only work with one or two departments.
Cyber risk can come from any vendor, no matter their size and function, and once you know who your suppliers are, your organization can begin classifying the vendors according to the risk they pose and the systems, networks, and data they are able to access.
2. Know the cyber risks
Once your organization has inventoried its suppliers, you can then identify and qualify your cyber risks. McKinsey suggests that pharmaceutical companies follow the example of banks, another tightly regulated industry that has already established processes for identifying new risks.
McKinsey recommends this four-step process from the financial sector:
- Create an inventory of risks, and map them against a standardized risk taxonomy.
- Estimate the likelihood and severity of each risk, and consider potential correlations among them.
- Aggregate the risks, and rank them in order of priority.
- Manage the risks by linking them to regular business processes, such as strategic and financial planning, enterprise risk management, and controls.
3. Calculate your risk
Not all cyber risks will bring production to a halt and not all suppliers pose the same risks to your data. Organizations should perform a risk analysis for each third party using the following formula (or whichever formula you use for your organization’s risk management):
Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
4. Assign a risk rating
Once you analyze the risk a supplier poses to your organization, you set a risk rating of high, medium, or low. The third parties who handle the most critical operations or the most sensitive data will likely be rated medium or high. Suppliers who do not interact with critical systems, networks, and data will be rated “low risk.”
Setting the risk rating allows you to prioritize your vendor risk monitoring strategies.
5. Set up a system for oversight and monitoring
Once you’ve determined your organization’s appetite for risk, it’s time to set up a system of controls for your vendors, as well as a system of oversight. The 3LOD risk management model suggests that organizations set up their risk management, oversight and governance along three lines:
- The first line owns and manages risks associated with day-to-day operational activities.
- The second line identifies emerging risks.
- The third line provides independent oversight of the other two lines.
Continuous monitoring is also important when it comes to third party risk. Suppliers may fall out of compliance, and it’s critical that you know when that happens.
How SecurityScorecard can help
To reduce the amount of administrative time and effort spent managing third party relationships, consider a tool that automates parts of the supply chain risk management process.
SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your suppliers’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying third party responses almost immediately. Our easy-to-read Security Ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your third party risk management program.
