Top threats for the pharmaceutical fall into three key categories: (1) Cyber-enabled insider trading, (2) Executive impersonation fraud, and (3) Disruptive attacks like ransomware. Additionally, expected geopolitical developments in China and Ukraine may generate cyber risk for pharmaceutical companies that are operating within these countries.
1. Cyber-Enabled Insider Trading
Niche groups of cybercriminals are likely to target the pharmaceutical sector with network intrusions that are geared toward the collection of sensitive, non-public information that can be used to facilitate insider trading. Insurance reimbursement rates, pricing schemes, negotiation agreements and positions, and related information can have a significant effect on the stock price of pharmaceutical companies, and, if obtained, may be used to facilitate illicit stock trades. There is precedent for sophisticated, non-U.S.-based cybercriminal groups conducting highly targeted attacks against pharmaceutical companies for this purpose, and we see no sign that interest in operations of this nature have abated. Fin4 and Morpho are two of the most notable examples of cybercriminal groups that are suspected of targeting pharmaceutical companies for the purposes of conducting insider trading.
Insider Trading-focused network intrusions may be tailored specifically for the targeted pharmaceutical company, and thus may be difficult to detect in early phases. Compromised third-party network accesses (e.g. information technology vendors), compromised internal email accounts, and legitimate, but maliciously modified (i.e. insertion of malicious code) internal company documents, are just a few of the target-specific tactics that the most sophisticated, insider trading-focused cybercriminals have used to distribute malware and/or gain an initial foothold into pharmaceutical companies’ networks. Use of a pharmaceutical company’s own resources—or those of its vendors—to enable network intrusions may lend an air of legitimacy to cybercriminals activities, thus increasing their chances of evading detection.
Potential Responses
- Focus on maturation of the insider threat program.
- Focus on maturation of the data loss prevention program and ensure that it is fused into the larger incident tracking program.
- Establish a formal plan for responding to suspected incidents of insider training, including identification of any compliance actions that may be required.