How medtech can comply with new SEC cyber disclosure rule

  • Blog
  • November 13, 2023

Sarat Mynampati

Principal, PwC US


Denis Jacob

Managing Director, PwC US


Recent regulations issued on cybersecurity by both the SEC and FDA highlight the opportunities for medtech organizations to help build trust among their stakeholders, safeguard their brands, provide protection for their customers and more importantly, their patients. By proactively mitigating cybersecurity risks, medtech organizations can demonstrate their commitments to safety and trust.

What is the SEC cyber disclosure rule?

The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023, with the new disclosure requirements taking effect in mid-December.

What does this mean for the medtech industry?

The medtech industry has its own unique challenges that should be addressed so it can meet the SEC cyber requirements:

  • Legacy systems and products: Medtech devices may not have undergone regular software updates and may run on legacy software. There are countless legacy devices in the field that may contain software that is several generations behind and is no longer supported
  • Network segmentation as a key approach to safeguard medical devices: The common historic approach to safeguarding medtech devices sold to health systems and providers has been through network segmentation or by not enabling the devices’ networking features
  • Dispersed locations: Many of these devices are also not located at a traditional data center and are instead used at numerous points of care (including medical centers and doctors’ offices), leading to increased opportunities for different parties to interact with the devices
  • Connected devices: Increasing consumerization of healthcare often leads to an increase in direct patient or customer involvement and an increase in the number of connected devices
  • Enterprise governance and operating model: Key functional teams including IT, Information Security and Product Development often operate independently, leading to the potential for gaps in cyber risk strategy
  • M&A activity: The medtech industry has undergone significant consolidation in recent years, which can create the risk of an incoherent product ecosystem

Considerations to help you comply with the SEC cyber rule

Medtech companies have a responsibility to remain patient-centric while complying with regulations related to their devices. With this call to action, medtech organizations should prioritize cyber efforts and reporting, including assessing readiness across the following areas:

1. Enterprise governance model: Organizations should assess whether their governance and associated procedures are currently up-to-date and effective. A regular cadence for review and revision should be established.

2. Establishing a stronger security posture through:

  • Security risk management (e.g., threat modeling, cybersecurity risk assessments, interoperability, third-party components)
  • Defense-in-depth security architecture that considers controls across various cyber domains
  • A secure product development framework that ensures that products are designed with security and safety top of mind
  • Continuous assessment and review of the effectiveness of the risk management program

3. Continuous logging, monitoring and incident response: Organizations should prioritize:

  • Continuous logging and investigation into anomalies
  • Regular cybersecurity testing to assess various threats levels and the organization’s response effectiveness
  • Automated investigation processes for accelerated monitoring and response

4. Traceability: Businesses should ensure the traceability of equipment used internally and externally (e.g., devices that have been sold and are present in the field).

5. Modernization: Businesses should make it a priority to:

  • Modernize security of devices
  • Establish timeline on sunsetting legacy devices

6. Testing and training: The complexity of both cybersecurity threats and the industry’s products are constantly increasing.

  • Organizations should work with their employees so they can remain up to date on the threats and product ecosystem

7. Industry collaboration: Engage closely with health systems to help:

  • Secure products
  • Modernize and update security of devices
  • Increase adoption of automatic updates
  • Remove or trade in legacy devices with software that is no longer supported
  • Provide real-time detection of vulnerabilities

PwC is here to help

Cyber threats can lead to medtech business and supply chain disruption for end users and jeopardize patient trust, quality and safety. The sector should work to proactively navigate this changing landscape and help protect organizations and patients through effective cybersecurity practices.

Follow us