A research report released last week on the supposed cyber
vulnerabilities of St. Jude Medical's devices not only
jeopardizes a pending $25 billion acquisition of the company by
Abbott Laboratories, it opens a worrisome new front on
While reports on cybersecurity vulnerabilities are nothing new,
this report on St. Jude was released not by a cybersecurity firm,
but by Muddy Waters Capital LLC, an investment firm that
simultaneously announced that it had taken a significant short
position in St. Jude.
The report stated, without disclosing a lot of technical detail,
that there were security failures in St. Jude's pacemakers and
defibrillators (such as lack of encryption) that theoretically
could allow unauthorized devices to communicate with the devices
and cause potentially fatal disruptions. Muddy Waters could
be certain that such a disclosure would capture the imagination of
an average stockholder: a 2012 episode of Homeland
featured exactly this plot, complete with a pacemaker-wearing Vice
President. Shares of St. Jude were down almost 8 percent in
heavy trading immediately following the report.
Truly muddying the waters, the report was a collaborative effort
between the firm and MedSec Holdings, a group of white-hat
cybersecurity researchers with a history of ethical hacking and
sound research in the medical device space. MedSec not only
brought its findings of the cyber vulnerabilities in St. Jude's
devices to Muddy Waters' attention, it also struck a deal with
the firm to consult on the research report, and now stands to earn
a percentage of profits from the firm's short-selling
strategy. MedSec CEO Justine Bone claims that this was the
only way to hold St. Jude accountable, as companies are too
incentivized to "sweep this under the rug," to the
detriment of patients.
For practitioners, this dizzying interplay of
issues—cybersecurity disclosures, medical device hijacking,
publicly-traded securities, high-stakes deals, and ethical
hacking—presents a rich opportunity to study how judges and
federal agencies will respond. Already, the FDA has announced
that it would investigate the claims made in Muddy Waters'
report; the SEC can't be far behind. Litigation, too,
seems all but certain.
For many hackers, however, this boils down to just another new
way to make quick money, this time off of the securities
markets. But unlike the hackers in the
Newswire hacks, white-hat cybersecurity researchers like MedSec
have traditionally played a vital role helping companies fix their
bugs before the bad guys find them and exploit them for
profit. By joining forces with short-sellers to partake in
the profit—and in doing so mimicking similar market-moving
attempts such as the Valeant/Citron Research and Herbalife/Pershing
Square fact patterns—the St. Jude report may be the most
impactful way to induce companies to improve on cybersecurity, but
it certainly raises fresh questions about the ethics of white-hat
hacking, especially in an industry where the stakes of life and
death are not hyperbole.
For publicly-traded companies of all walks and industries, this
episode underscores the need for a swift response plan to mitigate
the fallout from a similar disclosure, which could include a drop
in share price, break-up of a pending deal, shareholder litigation,
and even scrutiny from the government. At the same time,
companies falling under this kind of spotlight need to take the
utmost care in crafting a public response to ensure that no false
or misleading statements are inadvertently made in the critical
hours and days following such a report, especially while an
investigation is underway and the facts are still fluid. Of
course, a robust approach to implementing cybersecurity measures in
all aspects of one's network infrastructure and connected
devices is always a foremost priority. But recognizing that
no plan is foolproof—and that hackers, whatever color hat
they're wearing, are a motivated lot—companies can learn
some valuable lessons from last week's developments and prepare
for the worst.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In August 2016, a former risk officer wrote an opinion piece published by the Financial Times explaining his reason for allegedly rejecting a whistleblower award of USD 8.25 million (half of the 16.5 million total).
The SEC recently proposed new Rule 206(4)-4 under the Investment Advisers Act of 1940, which would require registered investment advisers to adopt and implement business continuity and transition plans.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).