Pharmaceutical Cybersecurity and Risk Management: Q&A with Jamie Singer & Matt Flora

In a conversation with Pharmaceutical Executive, Matt Flora, managing director, cybersecurity, FTI Consulting, and Jamie Singer, senior managing director, co-lead U.S. cybersecurity and data privacy communications practice, FTI Consulting, discuss how an increasingly complex threat landscape is reshaping risk management priorities across the pharmaceutical and biopharma industries.

Drawing on their experience advising life sciences organizations, both explain how cyber threats have evolved beyond traditional ransomware attacks to include data extortion, supply chain vulnerabilities, and even executive-targeted harassment, all while the rapid adoption of AI introduces new governance and security challenges. Flora and Singer also outline where companies are falling short, from gaps in third-party risk management to inconsistent compliance strategies, and highlight practical steps leaders can take, including strengthening enterprise-wide governance frameworks, enhancing continuous monitoring capabilities, and elevating cybersecurity as a board-level priority.

A transcript of Flora and Singer’s conversation with Pharmaceutical Executive can be found below.

Pharmaceutical Executive: The pharmaceutical and biopharma industries sit on some of the most sensitive intellectual property in the world, from drug formulas to clinical trial data. How has the threat landscape evolved over the past few years?
Jamie Singer: Threat actors are increasingly sophisticated today. From ransomware events to pure data extortion to supply chain attacks, they look to create maximum pain on organizations including in the pharmaceutical and biopharma industries. In addition to traditional extortion tactics, threat actors today are also resorting to aggressive tactics such as harassment of executives and physical safety threats.

PE: AI adoption is accelerating across drug discovery, clinical development and supply chain operations, but with that comes an expanded attack surface and new data governance challenges. How should pharma and biopharma leaders be thinking about the security implications of AI integration before they deploy, rather than after a breach forces their hand?
Singer: With AI adoption comes both tremendous opportunity and risk. Potential security and privacy concerns can result from ineffective AI governance, especially for organizations who have not invested in employee education and training around proper use of AI tools. It is critical that biopharma organizations adopt clear governance protocols and institute employee trainings before widespread AI tool use begins.

PE: The regulatory environment around data security in life sciences is becoming increasingly complex, with frameworks like HIPAA, GDPR and emerging FDA guidance on cybersecurity all creating overlapping obligations. Where are companies most commonly falling short in compliance, and what does a proactive regulatory strategy look like in this sector?
Matt Flora: In my experience conducting risk and compliance assessments for life sciences organizations, common issues include gaps in third-party risk management, poor enforcement of Principle of Least Privilege access controls, inconsistent threat monitoring across on premise, cloud, and SaaS platforms, and weak or non-existent backups.

Internal risk assessments focused on IT/security control maturity versus examining specific risks to the organization and measuring mitigating technical and administrative controls across all departments is another frequent misstep.

A proactive regulatory strategy starts with enterprise-wide alignment. Leading companies map regulatory requirements to a recognized framework (such as the NIST Cybersecurity Framework and NIST Privacy Framework), conduct comprehensive assessments across the enterprise, and standardize policies and procedures to ensure controls operate consistently in practice, not just on paper.

PE: What innovations in third-party risk management are showing real promise, and how should organizations be restructuring those accountability frameworks?
Flora: I’m seeing a push to expand third party risk management beyond the standard safeguard of including security clauses in contracts. Organizations are developing formal vendor inventories, assessment criteria, and risk scoring schemas using governance, risk, and compliance (GRC) tools.

Organizations are incorporating continuous monitoring tools that provide near real time insight into vulnerabilities, security posture changes, and potential incidents. This enables organizations to actively manage third party risk rather than reacting only after an issue has occurred.

An effective third-party risk management program is risk-based, scalable, and continuous. Leading organizations start by categorizing vendors based on their access to critical assets, then tailoring the depth and frequency of assessments to that risk profile. Organizations can look at frameworks such as NIST SP 800 161 (Cybersecurity Supply Chain Risk Management) to ensure their program is comprehensive.

PE: What does best-in-class security leadership look like in pharma and biopharma today, and how is that role evolving as AI and data complexity continue to grow?
Singer: Cybersecurity has moved from the backroom to the boardroom. It is a whole-of-business issue that requires involvement from technical, operational, legal, communications and human resource professionals within life sciences organizations. While InfoSec teams maintain the technical knowledge, it is important that these concepts are translated for executive teams and Boards in a way that can be understood and actioned. CISOs must not only be technical experts today, but effective communicators as well.