The threat landscape in the bioeconomy is different from what most CISOs are used to. It includes traditional risks like data breaches, but the consequences are more complex.
A compromise of genomic databases, for example, does not just expose personal health data. It can also leak proprietary genetic sequences that represent years of research and investment. These are not just privacy violations; they are breaches that can cripple a business’s future R&D pipeline. One example is the breach at 23andMe, where attackers accessed genetic data of millions of users through credential stuffing.
Cyberbiosecurity risks go beyond data loss
The risks do not stop at data loss. Attackers who gain access to systems used in gene editing or synthetic biology can manipulate experimental data or alter DNA sequences. This kind of tampering is hard to detect and could lead to failed clinical trials, inaccurate research outcomes, or even the accidental creation of harmful biological materials. In some cases, these errors might only be noticed weeks or months later, after real-world damage is already done.
Manufacturing environments in biotech are also vulnerable. Automated systems used in drug development, diagnostics, and lab operations rely heavily on digital workflows. A single disruption, whether caused by ransomware or a targeted attack, can delay production or introduce defects into high-stakes materials. A similar disruption happened in 2017 when Merck was hit by the NotPetya malware. The company’s manufacturing operations were severely impacted for months, slowing the production.
There is also the issue of intellectual property theft. The value of a biotech company often lies in its formulas, processes, and discoveries. If threat actors exfiltrate that data, it can be replicated or sold before the company even knows it is missing. This not only erodes competitive advantage but can also damage partnerships, investor confidence, and regulatory standing.
These threats are not theoretical. In 2020, the European Medicines Agency was attacked, and files related to Pfizer and BioNTech’s COVID-19 vaccine were accessed. While the companies’ own systems were not breached, the exposure of confidential scientific data through a regulatory partner shows how supply chain and third-party vulnerabilities can still result in cyberbiosecurity risk.
For CISOs, the challenge is to think beyond the perimeter and understand the physical and scientific impact of a digital breach. The threats are real, and the stakes are operational, reputational, and in some cases, biological.
Strategies for CISOs
To reduce risk in the bioeconomy, CISOs need to start thinking about cybersecurity and biosecurity as a single, combined effort, not separate problems. That means turning their attention to the unique systems, software, and data pipelines used in biotech environments.
Risk assessments must include bioinformatics platforms and digital lab systems. These aren’t traditional IT assets, but they often handle critical intellectual property or sensitive genomic data.
Working in isolation will not be enough. CISOs should build relationships with professionals who understand the science and operational realities behind biological research and manufacturing. Collaborating with biosecurity experts, whether internal or external, helps security teams see where the exposure is. Joint workshops or tabletop exercises can bridge the gap between disciplines and bring new risks to light before they turn into incidents.
Strict access control is also key. Systems that manage DNA sequencing, gene editing, or synthetic biology tools must be locked down. RBAC, MFA, and close monitoring of system logs can go a long way toward preventing insider threats or lateral movement after a breach.
Outdated software is another common problem. Many biotech tools, especially those developed in-house, are not patched as frequently as they should be. Vulnerabilities in niche platforms often go unnoticed. It’s important to stay on top of updates and verify patch coverage regularly, even for tools that fall outside the usual IT perimeter.
Finally, there needs to be a plan for how to respond if something goes wrong. That includes naming internal decision-makers, spelling out how the organization will communicate during a crisis, and having procedures in place to recover damaged systems or corrupted data.
