Medical device companies face heightened cybersecurity burdens, antitrust enforcement and supplier risks, according to a new report out of Moody’s.
The research firm’s previous quarterly report in February called attention to continued supply chain and labor problems for medtech.
Below are the key highlights for medical device companies from the latest report.
Medical device cybersecurity
The report flagged legislative proposals for new rules and regulations on medical device developers and manufacturers, including new cybsecurity rules.
“The industry is ripe for increased oversight of cyber risks,” the analysts wrote in their report. “We have identified the sector as having a medium high exposure to cyber risk. And our survey of rated healthcare issuers indicates that medical device companies somewhat trail other healthcare sectors (hospitals and pharmaceutical companies) in overall preparedness to address cyber risk.”
If passed into law, the new rules would create significant — but likely worthwhile — costs for the industry, given the prevalence of remote monitoring devices such as insulin pumps, defibrillators and cardiac monitors.
“We believe such legislation would likely raise the cost of product development for medical device companies, or lengthen any regulatory review processes at the [FDA],” the report said. “That said, we believe the value of new cybersecurity measures would pay benefits, that, over time, would outweigh their costs.”
Medical device companies are already staffing up their cybersecurity teams. The average growth in full-time cyber employees was 49% between 2019 and 2022, compared to 45% from 2017 to 2019, according to Moody’s healthcare cyber risk survey.
Outsourced cyber hiring is also growing but at a much slower pace of 14% from 2019 to 2022 compared to 48% from 2017 to 2019, the survey found.
One-third of CEO compensation packages include cybersecurity goals, Moody’s said.
Contract manufacturer regulation and credit risk
Moody’s also warned of the credit risk of regulation on contract manufacturing organizations (CMOs), given that oversight can be opaque because the FDA does not regulate all CMOs.
“While all contract manufacturers and sterilizers of finished devices must register and list with the FDA, manufacturers of components that are distributed only to a finished device manufacturer are exempt from FDA requirements. … Given that most rated CMOs are highly levered at deeply speculative-grade ratings, a regulatory misstep has the potential to be particularly credit negative for these companies,” the analysts wrote.
An FDA warning letter could increase costs for remediation and compliance, as it did for Femur Buyer in 2019, decreasing profitability, increasing financial leverage and contributing to a ratings downgrade, the report said.
But FDA oversight can be beneficial for a CMO’s credit outlook because it increases the costs of the customers to find a substitute supplier, “as any new CMO supplier would require revalidation and inspection by the FDA,” the analysts said.
“To that end, switching contract manufacturer relationships would require significant time and expense for device companies, which typically leads to long-duration relationships with CMOs,” they wrote.
Medical device antitrust enforcement
Medical device companies in the market for mergers and acquisitions face heightened antitrust enforcement in the U.S. and Europe, Moody’s analysts said.
Their report cited Illumina’s 2021 acquisition of Grail as an example, noting the company is not only exposed to European Commission fines of up to 10% of annual revenue, but the worst-case scenario of a forced divestiture.
“A forced disposal of Grail would mostly represent a lost opportunity for Illumina, given Grail’s growth potential should its cancer screening tool become widely adopted by the U.S. healthcare system in the coming years,” the analysts wrote.