A research report released last week on the supposed cyber vulnerabilities of St. Jude Medical’s devices not only jeopardizes a pending $25 billion acquisition of the company by Abbott Laboratories, it opens a worrisome new front on cybersecurity-related risk.
While reports on cybersecurity vulnerabilities are nothing new, this report on St. Jude was released not by a cybersecurity firm, but by Muddy Waters Capital LLC, an investment firm that simultaneously announced that it had taken a significant short position in St. Jude.
The report stated, without disclosing a lot of technical detail, that there were security failures in St. Jude’s pacemakers and defibrillators (such as lack of encryption) that theoretically could allow unauthorized devices to communicate with the devices and cause potentially fatal disruptions. Muddy Waters could be certain that such a disclosure would capture the imagination of an average stockholder: a 2012 episode of Homeland featured exactly this plot, complete with a pacemaker-wearing Vice President. Shares of St. Jude were down almost 8 percent in heavy trading immediately following the report.
Truly muddying the waters, the report was a collaborative effort between the firm and MedSec Holdings, a group of white-hat cybersecurity researchers with a history of ethical hacking and sound research in the medical device space. MedSec not only brought its findings of the cyber vulnerabilities in St. Jude’s devices to Muddy Waters’ attention, it also struck a deal with the firm to consult on the research report, and now stands to earn a percentage of profits from the firm’s short-selling strategy. MedSec CEO Justine Bone claims that this was the only way to hold St. Jude accountable, as companies are too incentivized to “sweep this under the rug,” to the detriment of patients.
For practitioners, this dizzying interplay of issues—cybersecurity disclosures, medical device hijacking, publicly-traded securities, high-stakes deals, and ethical hacking—presents a rich opportunity to study how judges and federal agencies will respond. Already, the FDA has announced that it would investigate the claims made in Muddy Waters’ report; the SEC can’t be far behind. Litigation, too, seems all but certain.
For many hackers, however, this boils down to just another new way to make quick money, this time off of the securities markets. But unlike the hackers in the Newswire hacks, white-hat cybersecurity researchers like MedSec have traditionally played a vital role helping companies fix their bugs before the bad guys find them and exploit them for profit. By joining forces with short-sellers to partake in the profit—and in doing so mimicking similar market-moving attempts such as the Valeant/Citron Research and Herbalife/Pershing Square fact patterns—the St. Jude report may be the most impactful way to induce companies to improve on cybersecurity, but it certainly raises fresh questions about the ethics of white-hat hacking, especially in an industry where the stakes of life and death are not hyperbole.
For publicly-traded companies of all walks and industries, this episode underscores the need for a swift response plan to mitigate the fallout from a similar disclosure, which could include a drop in share price, break-up of a pending deal, shareholder litigation, and even scrutiny from the government. At the same time, companies falling under this kind of spotlight need to take the utmost care in crafting a public response to ensure that no false or misleading statements are inadvertently made in the critical hours and days following such a report, especially while an investigation is underway and the facts are still fluid. Of course, a robust approach to implementing cybersecurity measures in all aspects of one’s network infrastructure and connected devices is always a foremost priority. But recognizing that no plan is foolproof—and that hackers, whatever color hat they’re wearing, are a motivated lot—companies can learn some valuable lessons from last week’s developments and prepare for the worst.