I am attending BIO 2018 in Boston, just steps from our Boston office. Naturally, I was drawn to yesterday’s session on “Life Sciences Cyber Exposures and Risk Mitigation Considerations.” But I came away disappointed. First of all, the session was held in a small room and even then, it was only one-third full (maybe 30 people of the 16,000 attending BIO 2018 chose to attend).
The session revolved around a recent breach reported by Sangamo Therapeutics. According to the company’s recent 8-K:
- “On April 17, 2018, Sangamo Therapeutics, Inc. (the “Company”) announced a data security incident involving the compromise of a senior executive’s Company email account. Upon learning of the incident on March 28, 2018, external network security experts were promptly engaged, and the incident response team worked diligently to investigate the incident. The Company also promptly notified federal law enforcement of the incident. The investigation concluded that the incident was limited to the compromise of the senior executive’s Company email account for approximately 11 weeks. The investigation did not reveal any evidence that the Company’s network or other information technology systems were otherwise compromised in connection with the incident or that the incident resulted in the disclosure of or access to personal information about patients or other individuals besides the holder of the Company email account that was affected. However, proprietary, confidential and other sensitive information of the Company and other entities was accessed and may have been compromised as a result of the incident. The Company is continuing to analyze the effects of the incident, along with appropriate remediation of the Company’s information technology systems, and that analysis and the related remediation efforts could ultimately reveal that other Company information technology systems were compromised and/or that additional information was revealed or compromised.”
The breach was the result of a phishing incident, and Sangamo’s in-house counsel reported spending over $500,000 in attorneys’ fees and forensic consultants as part of its response. Interestingly, it appears Sangamo did not have an incident response plan in place prior to this, surprising for a company with a market cap of $1.675 billion. That comes on the heels of the ransomware attack that cost Merck more than $300 million in Q3 2017 alone. So I left the session with the sense that biotech companies still aren’t taking cyber as seriously as they should.