Five Questions Every Biotech Executive Should Be Asking After the Novo Nordisk Breach

When Novo Nordisk disclosed a cybersecurity incident involving unauthorized access to internal systems and the external copying of certain data, most headlines focused on the attack itself. For biotechnology executives, the more important story is what the incident reveals about the growing business risks associated with clinical research, scientific data, and digital operations.

Cybersecurity incidents in life sciences differ from those in many other industries. Biotechnology companies manage assets that can directly affect research programs, regulatory obligations, intellectual property, investor confidence, competitive positioning, and patient trust. Clinical trial data, scientific research, regulatory submissions, manufacturing knowledge, and strategic partnerships often represent years of work and significant investment.

The Novo Nordisk breach should therefore be viewed not only as a cybersecurity event, but also as a leadership and risk management case study. While many details remain under investigation, the incident raises five questions every biotechnology executive should be asking about their own organization.

What happened?

In June 2026, Novo Nordisk published an incident update stating that it had identified unauthorized access to a limited number of internal IT systems and that certain non-public data, including personal data, had been copied externally. The company said it was working with external cybersecurity experts and relevant authorities.

Public reporting indicates that affected information included data associated with some clinical trials and healthcare professionals. Reporting also described pseudonymized clinical trial data rather than direct identifiers in some affected datasets. Even when names and direct identifiers are not present, clinical research information remains sensitive because of its connection to research participants, studies, products, and future development programs.

The incident is notable because it appears to have centered on data theft rather than broad operational disruption. Novo Nordisk continued operating while investigating the breach. That reflects a broader trend in which attackers increasingly target information itself rather than only trying to shut down operations.

Additional reporting attributed the attack to a cyber extortion group known as FulcrumSec. SecurityWeek reported that the group claimed to have stolen 1.3 terabytes of data. BankInfoSecurity reported that the group began leaking samples from the claimed dataset and described alleged theft involving pharmaceutical data and intellectual property. Those claims should be treated as allegations unless confirmed by Novo Nordisk or investigators.

According to public reporting, the allegedly stolen information may extend beyond clinical trial data and include artificial intelligence models, drug discovery research, manufacturing processes, source code, competitive analysis, and information related to marketed and investigational products. Novo Nordisk has acknowledged awareness of attacker claims but has not publicly confirmed their full accuracy.

Whether every assertion proves true may be less important than what the incident reveals about the changing nature of cyber risk in life sciences. Historically, organizations focused heavily on protecting patient information, employee records, and financial data. Today, attackers increasingly recognize the potential value of scientific research, manufacturing knowledge, proprietary algorithms, AI models, and strategic product information. These assets may represent years of investment and can have direct implications for competitive advantage and future revenue.

For biotechnology executives, the most important takeaway is not whether every claim made by the attackers ultimately proves accurate. The more important question is whether their own organizations could answer the same questions Novo Nordisk is likely facing today: How did the intrusion occur? How long did it remain undetected? What information was exposed? Which stakeholders are affected? And how quickly can leadership obtain reliable answers?

Question 1: How long could an attacker remain in our environment before we knew?

Cyber incidents rarely begin with large-scale theft. Attackers often enter through a compromised account, vulnerable system, or third-party connection and then spend time learning how the organization operates. By the time unusual activity becomes visible, they may already understand the organization's structure, technology landscape, and data assets.

For biotechnology companies, this reconnaissance phase can be especially valuable because research environments contain scientific information, clinical documentation, intellectual property, and partner data spread across numerous systems.

If attackers maintain access for an extended period of time, they may gain insight into far more than individual datasets. Research priorities, vendor relationships, organizational structures, manufacturing initiatives, acquisition strategies, and future development programs can collectively provide a detailed picture of how a company operates. The concern is not simply that data may be stolen. The concern is that attackers may develop a deep understanding of the organization's future direction.

One useful executive tabletop exercise is to ask a simple question: How would we know? Organizations are often surprised to discover that leadership teams, IT organizations, and security teams have different assumptions about detection capabilities. Tabletop exercises create a chance to align those expectations before a real incident occurs.

For leadership teams, delayed detection can significantly increase both cost and complexity. The longer attackers remain in an environment, the more opportunity they have to access sensitive information, compromise additional systems, and establish persistence. What might have been a limited security event can become a broader business issue involving regulators, investors, partners, and customers. Early detection is often the difference between a manageable incident and a prolonged organizational crisis.

Question 2: Do we know where all clinical research data resides?

Clinical research data frequently exists across CTMS platforms, eTMF repositories, EDC systems, CRO environments, analytics platforms, collaboration sites, cloud storage services, and archived project repositories. Over time, data accumulates through studies, partnerships, acquisitions, and technology changes.

When an incident occurs, leadership needs to understand not only what may have been exposed, but also where copies exist and who has access to them.

Consider a realistic executive scenario. The CEO asks which studies are affected. Legal asks which jurisdictions are involved. Clinical Operations asks whether participants may be impacted. Investor Relations asks what can be communicated externally. During a crisis, organizations quickly discover that answering those questions depends on a clear understanding of where information resides and who owns it.

Executive tabletop exercises frequently reveal gaps in organizational understanding of critical data assets. When leaders are asked which studies are affected, which partners are involved, or where sensitive information resides, answers are often incomplete or inconsistent. These exercises help organizations identify ownership and accountability gaps before an actual incident forces those questions into the spotlight.

During an active cyber incident, uncertainty creates its own form of risk. Organizations that cannot quickly identify where critical data resides often struggle to assess exposure, communicate with stakeholders, and make informed decisions. For biotechnology companies, delays in understanding data ownership and location may affect clinical operations, regulatory obligations, and the organization's ability to provide timely updates to leadership and external stakeholders.

USDM's guidance on data integrity in life sciences applies directly here: controlled data is not only accurate data. It is data with clear ownership, context, lineage, access control, and accountability.

Question 3: Could we determine what data was actually stolen?

The first question after a breach is whether a compromise occurred. The second is what information was taken. Boards, investors, regulators, partners, and potentially study participants may all expect timely and accurate answers.

Without mature governance, organizations often struggle to determine which datasets were accessed, whether information was copied, and what business consequences may result.

The challenge is that organizations often discover a compromise before they fully understand its scope. Leadership may face pressure to communicate with regulators, investors, partners, and employees while forensic investigations are still underway. Early estimates frequently change as additional evidence emerges. This creates a difficult balance between speed and accuracy, particularly when highly sensitive research or clinical information may be involved.

One reason the Novo Nordisk incident has received significant attention is the uncertainty surrounding the information allegedly obtained by the attackers. Public reporting has described claims involving clinical trial information, manufacturing knowledge, AI models, pipeline assets, and strategic research programs. Regardless of which claims are ultimately validated, the incident illustrates how quickly uncertainty regarding stolen information can become a business issue rather than merely a cybersecurity issue.

One of the most valuable executive tabletop scenarios is not ransomware. It is a data exfiltration event in which leadership must determine what information was taken and how to communicate with stakeholders. These exercises force organizations to address difficult questions involving regulatory notifications, investor communications, partner obligations, and public messaging while operating under uncertainty.

From a leadership perspective, understanding what information was exposed is often more important than understanding how the attack occurred. Investors, boards, regulators, and business partners are likely to focus on business impact rather than technical details. Organizations that can rapidly determine what data was affected are generally better positioned to maintain credibility, satisfy regulatory expectations, and minimize disruption.

Question 4: How much exposure exists through third parties?

Most biotechnology companies depend on a complex ecosystem of external partners. A single clinical study may involve contract research organizations, central laboratories, statistical programming vendors, cloud-hosted clinical platforms, imaging providers, regulatory consultants, and specialized software vendors. In many environments, critical information may flow through Veeva platforms, CTMS systems, eTMF repositories, statistical programming environments, cloud-hosted trial systems, and central laboratory platforms.

As a result, critical information often extends well beyond the organization's direct control. Clinical trial data may reside in CRO environments. Regulatory documentation may be managed through third-party platforms. Statistical analyses may be performed by external partners. Sensitive information may move between dozens of systems throughout the life of a study.

This reality creates a difficult leadership challenge. Organizations are often held accountable for protecting information even when portions of that information are managed by external parties. Understanding where third-party risk exists and how those risks are governed has become an essential component of biotechnology risk management.

The question is no longer whether third parties create risk. The question is whether the organization has sufficient visibility into those relationships to understand and manage that risk effectively.

Third-party relationships frequently introduce risks that are difficult to see until an incident occurs. Many biotechnology organizations rely on external partners to support critical business functions, clinical programs, and technology platforms. Leadership teams should view cybersecurity as a shared responsibility that extends beyond organizational boundaries. Understanding where third-party risk exists can help prevent unpleasant surprises during a crisis.

For additional context, review USDM's work around third-party risk management in life sciences and life sciences cybersecurity. Both disciplines matter when vendors, platforms, research data, and regulated operations overlap.

Question 5: Do we know which assets would hurt us most if they were stolen?

The most interesting aspect of the Novo Nordisk breach may not be the clinical trial data. It may be the possibility, whether ultimately confirmed or not, that attackers sought information tied directly to the company's future competitive position. Public reporting has described claims involving AI models, manufacturing processes, drug development programs, source code, and strategic research assets. These allegations remain unverified, but they raise an important executive question: which information assets would create the greatest business impact if they were exposed?

Many organizations have never formally ranked these assets based on business impact. Yet those assets often underpin the future value of the company.

Not every information asset deserves the same level of protection. Executive teams routinely make investment decisions based on business priorities, and cybersecurity should be no different. Organizations that clearly understand which digital assets contribute most directly to future growth, competitive advantage, and enterprise value are better equipped to allocate resources effectively and prioritize protection efforts where they matter most.

This prioritization also affects AI governance and compliance. If AI models, model outputs, research data, or AI-enabled workflows become strategic assets, they need governance, access controls, monitoring, and incident-response planning that reflects their business value and regulated context.

The larger lesson for biotechnology leaders

The life sciences industry is increasingly dependent on digital assets that did not exist a decade ago. Clinical data repositories, cloud-based research environments, AI-enabled discovery platforms, and highly distributed partner ecosystems have accelerated innovation while simultaneously expanding the potential impact of cyber incidents.

As a result, cybersecurity decisions are becoming inseparable from broader business decisions regarding growth, innovation, and operational resilience. The Novo Nordisk breach will eventually be investigated and closed. The questions it raises, however, will remain relevant for every biotechnology organization.

Leadership teams should understand where critical data resides, how quickly compromise would be detected, what information would matter most if exposed, and how third-party relationships contribute to organizational risk. The most valuable lesson from the Novo Nordisk breach may not be what happened to Novo Nordisk. It may be the questions every biotechnology leadership team should already know how to answer.

References

• Novo Nordisk incident update
• BleepingComputer: Novo Nordisk discloses breach of clinical trials data
• SecurityWeek: Cybercrime group claims Novo Nordisk hack
• BankInfoSecurity: Hackers begin to leak Novo Nordisk's stolen data