Industry Brief
2024 Analysis of Sensitive Content Communications in Pharmaceuticals and Life Sciences: Security and Compliance Trends
Highlights
Communication Tools in Place
11%
7+
6%
6
11%
5
22%
4
28%
3
11%
2
0%
1
Exchange Sensitive Content With Third Parties
6%
Over 5,000
17%
2,500 to 4,999
22%
1,000 to 2,499
17%
500 to 999
39%
Less than 499
Data Types Biggest Concern (Top 3)
60%
Legal Communications
55%
Financial Documents
40%
GenAI LLMs
40%
M&A
30%
PHI
30%
CUI and FCI
25%
PII
20%
IP
Biggest Privacy and Compliance Focus (Top 2)
61%
GDPR
56%
CMMC
39%
U.S. State Privacy Laws
39%
SEC Requirements
33%
HIPAA
17%
Country-specific Data Privacy Laws
6%
PCI DSS
Most Important Security Validations (Top 2)
67%
ISO 27001, 27017, 27018
44%
NIST 800-171/CMMC 2.0
39%
SOC 2 Type II
33%
IRAP (Australia)
11%
FedRAMP Moderate
6%
NIS 2 Directive
Number of Times Experienced Sensitive Content Communications Hack
0%
10+
22%
7 to 9
6%
4 to 6
39%
2 to 3
11%
1
22%
Don’t Know
The 2024 Kiteworks Sensitive Content Communications Privacy and Compliance Report provides an in-depth analysis of the challenges and trends in managing sensitive content across various industry sectors, including pharmaceuticals and life sciences. This brief focuses on the key findings related to pharmaceuticals and life sciences, highlighting the tools used for sensitive content communications, cybersecurity concerns, third-party communication risks, specific cyber threats, and compliance implications.
Managing All the Sensitive Content Communications Tools
28% of pharmaceuticals and life sciences firms rely on five or more communication tools to send and share sensitive content, which is almost half of what it was for the full cohort (53%). When it comes to tracking and controlling sensitive content, 56% of pharmaceuticals and life sciences respondents said they can track and control sensitive data sent and shared internally, whereas 44% indicated they can do so when it is exchanged externally. Both are slightly better than the full respondent averages of 51% and 43%, respectively.
When it comes to sensitive content communications privacy and compliance priorities, preventing leakage of confidential IP and corporate secrets and avoidance of regulatory violations (fines and penalties) were the two top priorities for pharmaceuticals and life sciences—56% and 50%. These largely align with the average of all respondents—56% and 48%, though they cited mitigation of lengthy and expensive litigation as their second-highest priority (51%). Considering the importance of IP for pharmaceuticals and life sciences organizations and regulatory compliance in the industry, these data findings are not surprising. One area that was higher for pharmaceuticals and life sciences than other industries was concern over avoidance of detrimental brand impact—39% compared to 15% for the full cohort.
Assessing the Third-party Risk of Sensitive Content
Compared to all respondents where 39% indicated they exchange sensitive content with over 2,500 third parties, only 23% of pharmaceuticals and life sciences respondents said they do so (45% of exchange data with over 1,000 third parties versus 66% of all respondents). When it comes to tracking and controlling sensitive content once it leaves an application, half of pharmaceuticals and life sciences respondents indicated they can track and control over three-quarters of sensitive content when it leaves an application. This is significantly worse than all respondents (61%).
Assessing the State of Sensitive Content Compliance
84% of pharmaceuticals and life sciences organizations revealed their measurement and management of compliance for sensitive content communications requires some to significant improvement. This is slightly less than what all respondents reported: 88%.
Pharmaceuticals and life sciences cited GDPR as their biggest focus area over other data privacy regulations (61%). Interestingly, CMMC 2.0 was a close second at 56%. The focus on both is substantially higher than all respondents—41% and 25%, respectively.
When it comes to vetting and selecting security validations or certifications, pharmaceuticals and life sciences were one of the highest industry sectors to list ISO 27001, 27017, and 27018 as a top priority (67%; one of three priorities). Other security validations and standards were significantly lower—NIST 800-171 at 44% and SOC 2 Type II at 39%.
Assessing the Risk of Sensitive Content Security
When it comes to measuring and managing sensitive content communications security maturity, every pharmaceuticals and life sciences respondent indicated their organizations require some or significant improvement. This stands in contrast with other industry sectors where at least some respondents said no improvement was needed.
No pharmaceuticals and life sciences respondent indicated their organizations experienced 10 or more data breaches (unlike all other industry segments except for legal). However, 22% said they experienced seven to nine data breaches. Compared to other industry segments and full respondent average (32% experienced seven or more), pharmaceuticals and life sciences is faring better when it comes to data breaches.
Advanced security capabilities and practices such as encryption, multi-factor authentication, and governance tracking and control are only used for some sensitive content by pharmaceuticals and life sciences 39% of the time (the same percentage as all respondents).
Assessing the Cost of Security and Compliance
While pharmaceuticals and life sciences may not be experiencing as many data breaches as other industry segments, a certain segment of the industry is experiencing higher litigation cost; 17% said they spend over $7 million annually. Overall, the amount being spent on litigation costs in pharmaceuticals and life sciences organizations is lower than a cross-industry average.
Knowledge and Categorization of Data Types
A smaller percentage of pharmaceuticals and life sciences respondents indicated they tag and classify unstructured data than other industry sectors (39% said they tag and classify around three-quarters). This compares to the 48% of all respondents who said their organizations do so. With the volumes of data generated in pharmaceuticals and life sciences, one would assume the industry would be doing better.
Surprisingly, the percentage of pharmaceuticals and life sciences respondents who feel over 60% of their unstructured data should be tagged and classified is higher than most industries (half). This reveals a gap and potential risk that pharmaceuticals and life sciences will likely seek to fill.
Imperative for Robust Sensitive Content Management in Pharmaceuticals and Life Sciences
The Kiteworks 2024 Sensitive Content Communications Report highlights the critical need for robust management of risk and compliance in sensitive content communications in pharmaceuticals and life sciences. Legal communications (60%) and financial documents (55%) were selected the most often by respondents who were asked to check their two biggest data type risks. Intellectual property (IP) scored quite low (20%), a number one would expect to be much higher in the industry sector.
Operationally, pharmaceuticals and life sciences firms spend a lot of time managing logs generated by the numerous communication tools they use to share and send sensitive content. 33% of respondents must reconcile over 11 (compared to the 48% average of all respondents), and 11% of respondents did not even know how many must be reconciled. This compiles into a report logjam, albeit pharmaceuticals and life sciences firms are doing slightly better than the full report cohort; 17% spend 2,500 hours or more annually and another 6% spend over 2,000 hours. 40% spend over 1,500 hours annually (compared to 62% in the full cohort).