Biopharma Needs to Protect more than Crown Jewel IP to Stay Competitive

cyber security

The problem of intellectual property theft is greater than most biopharma executives realize, but the real issue is that companies are protecting only a fraction of their IP.

“Companies, especially in biopharma, are used to protecting their crown jewels – their secret formulas and manufacturing expertise,” Anne Elise Herold Li, a partner in Crowell & Moring’s life sciences’ litigation, intellectual property and trade secrets group told BioSpace. What they’re not protecting is the foundational IP required to start a rival company. “That’s what’s at risk right now. A lot of new companies are trying to enter the market and they’re trying to get the basics right,” Li said.

Anne Elise Herold Li_Crowell & Moring“Standard operating procedures (SOPs), the steps to get from point A to point B and how R&D is conducted or managed are all competitive advantages that are, largely, not protected,” she elaborated. “Companies have developed this expertise over decades of trial and error, and it may not be guarded as closely (as how to make the molecule, for example), but it’s just as valuable to copycat companies.”

Trade secrets are kept in a safe, but SOPs and processes may be in the lab or on the manufacturing floor...or in email. “Because the company doesn’t treat it as secret, employees often don’t know that it is a secret thing,” Li said.

Foundational know-how can differ greatly among companies. Consider manufacturing patents. They outline the (often proprietary) growth media, tests and tools needed to create a specific product and are unique to certain platforms and types of indications. “You need to keep that under lock and key,” Li said. “If you design a way to cut one step from the manufacturing process or shorten it by a day or two, that could represent hundreds of millions of dollars for certain products.”

When people think of IP theft, Cold War-style industrial espionage and cyber hacking may come to mind, but theft more often is personal.

Monitor Competitors’ Job Postings

"Often, companies recruit away employees because of their very specific knowledge,” Li said. They may have knowledge relating to how a particular molecule is made, a particular process or what has been tried and failed. Therefore, she recommended monitoring competitors’ job postings to see if they are tailored to certain employees who have access to your proprietary information. These postings are designed to attract very specific individuals within a company and will closely mirror those individuals’ resumes. Mirroring an employee’s job description and expertise is a way to lure them to another company without ringing any alarm bells.

“Often, you can reach out to the competitor and ask them to show that the person they just hired from your company isn’t working in an area that would use their proprietary knowledge,” Li assured. “Competitors are much more engaged in this kind of conversation because it goes both ways.”

Some degree of insider knowledge can also be gained by hiring a spouse or family member. “Companies are very careful about tracking where employees go next, but nobody really tracks where the spouse or next of kin goes. That’s often a vector for inadvertent disclosure,” she added.

Knowledge Dispersed by Remote Work

With so many people working from home during the COVID-19 pandemic, both asset and foundational knowledge has been dispersed. According to the 2022 Ponemon Cost of Insider Threats Global Report, “Sixty-five percent of respondents say email is where employees store their organizations’ most sensitive data, such as…IP.” For all industries surveyed, it noted that incidents stemming from insiders increased 44 percent in the past two years. For example, 74 percent of those responding said malicious insiders had emailed sensitive data to outsiders, and 60 percent reported people accessing sensitive data that was not associated with their job functions. The report interviewed 1,004 individuals from 278 organizations, six percent of which were in health and pharmaceuticals.

“Now that people are coming back into the office, companies need to gather up those crumbs that have been put in the diaspora and get them back where they need to be, within the confines of the building,” Li said. Simply raising awareness of the risk is a good step.

Aside from a few high-profile cases that are referred to the U.S. Department of Justice, instances of IP theft tend to be settled privately, Li added. “Neither the one from whom the IP was stolen or those who did this want their names associated with IP theft.” Therefore, it’s hard to associate a dollar value with IP theft, she noted.

SEC Disclosure Guidance

“IP theft is more common than anyone realizes, but companies are very reluctant to talk about it because of the potential implications,” Amy Fix, partner at Barnes & Thornburg, told BioSpace.

Amy Fix_Barnes & ThornburgThe SEC, which could be expected to have data, is rather canny on the subject.

“There is no specific line-item requirement under the federal securities laws to disclose information related to the compromise (or potential compromise) of technology, data or intellectual property,” according to the SEC. Yet, the guidance continued, “The company has certain disclosure obligations for IP and technology risks and some existing rules or regulations could require disclosure regarding the actual theft or compromise of…IP if it pertains to assets or intangibles that are material to a company’s business prospects.”

For ‘crown jewels’ type IP theft, “The primary issue is the balance of risk versus reward,” Fix said. Because that information typically is well-protected, the thief tends to be more sophisticated than someone sharing foundational knowledge. For blockbuster products, the reward can be huge.

The chances of success also may be higher in biopharma than in other industries, she speculated. “I don’t think pharmaceutical organizations have invested in (mitigating) cyber risk as much as other areas of their companies. Because it’s such a highly regulated industry, even their IT components have to be reviewed and approved in terms of being audited…so they often don’t have the newest versions of everything…and that puts them at risk,” Fix explained.

Look Beyond the Crown Jewels

To safeguard IP, look beyond the crown jewels, Li advised, and identify what gives your company a competitive edge. “Implement the same sort of safeguards you use to protect the more specific product information,” such as restricting and monitoring access to that information.

Fix advocated segregating access to sensitive information, but with a caveat. “Take a step back and determine what really is sensitive and what isn’t. Don’t just mark everything confidential or proprietary." Doing so undermines protection for data that truly is sensitive. Instead, “Focus on data that actually needs encryption,” she said.

Going a step further, Li advised monitoring employee behavior. “For example, if someone suddenly works different or odd hours with no apparent reason, or tries to access information they don’t need for their job – even if it isn’t foundational SOP – find out why.

Also, conduct deep due diligence on collaborating companies and the individuals in that company. See if they’ve ever been involved in a trade secret or fraud case,” she said. The life sciences industry is more collaborative today than it was even three years ago, and far more so than 10 or 20 years ago. That collaboration strengthens companies and the industry, but also adds risks. As Fix said, “Every time you introduce a third party, you introduce IP risk.”

Back to news