St. Jude’s Medical has filed a defamation lawsuit against short-seller, Muddy Waters LLC, and cyber-security research company, MedSec Holdings, along with executives at the companies, following allegations by the companies of cybersecurity vulnerabilities in some of St. Jude’s medical devices.
MedSec Holdings first approached investment company, Muddy Waters, last year with information that alleged cybersecurity flaws in St. Jude’s pacemakers and defibrillators make the devices vulnerable to being hacked and manipulated. Instead of approaching St. Jude directly with their findings as is typically done in the industry, MedSec decided to go straight to Muddy Waters with the information.
The two companies went on to form an unprecedented partnership that led to Muddy Waters shorting St. Jude stock based on the information brought to them by MedSec, in exchange for which they will pay MedSec a portion of any profits made from this information. St. Jude shares took an immediate nosedive after Muddy Water’s release of a research report outlining the security vulnerabilities and announcement of their short position on August 25, 2016. St. Jude stock had previously been up after an announcement of a planned $25 billion dollar acquisition later this year.
St Jude’s prior history with security issues may have led to it to being singled out by the Florida-based, MedSec. MedSec CEO stated in a Bloomberg interview that “St. Jude Medical stood out, far and away, as severely deficient when it comes to security protections” in the company’s research into security flaws in medical devices. MedSec chose not to directly notify St. Jude because “[they] felt that notifying the company would simply give it a chance to prepare its ‘messaging’ in an effort to sweep this under the rug.”
Potential future alliances between cybersecurity companies and for-profit investment firms that publicly announce cybersecurity vulnerabilities as a part of a short selling strategy are just one more potential byproduct for companies with questionable cybersecurity programs. Companies have been dealing with more obvious consequences of cybersecurity issues like risk of breach, regulatory fines, and lawsuits but may now have to worry about public disclosure of security flaws by companies looking to make a profit. Companies may also face additional security threats if they learn of security vulnerabilities at the same time as hackers, eliminating their ability to fix the bugs before they are announced to public.
St. Jude has already announced it is creating a Cyber Security Medical Advisory Board (CSMAB) in the wake of the recent events surrounding their security practices. Although the jury is still out on whether public outing and disclosure will be good for consumer safety, it is clear that public companies should make cybersecurity a priority by investing in strong cybersecurity and data protection programs.