Pre-exit cybersecurity, AI & data governance risk assessment for a scaling life sciences group

Background

The client is a fast-growing pharmaceutical and medical device group with 150+ Market Authorisations, ISO 13485 certification, and operations across the UK, Ireland and the UAE. As the business continues to scale and an exit strategy comes into focus, IT infrastructure, cybersecurity posture, AI governance and data handling all need to withstand both regulatory scrutiny and acquirer due diligence.

Cybersecurity, legal and data protection, and IT governance are typically managed across different functions, which makes it difficult to maintain a clear, joined-up view of risk, accountability and exposure across the organisation. Regulatory expectations across GDPR, GxP and AI governance are increasing in parallel with growing reliance on data, third-party providers and digital infrastructure. The board needed a clear, risk-rated picture of where the business stands today — and a prioritised roadmap to close the gaps before they become deal blockers.

The LS Law Approach

One integrated assessment, three connected workstreams. A senior-led advisory engagement — structured stakeholder interviews with leadership and operational staff (4–6 core functions), targeted questionnaires to gather information in advance, and review of selected documentation and governance materials. No scanning tools or technical testing: this was about understanding what the business has, what it does not, and what matters most. Findings are integrated across cyber, data, governance and IT to deliver a single, coherent risk view rather than four parallel reports.

Cybersecurity and AI. High-level review of security posture, key vulnerabilities, access controls, incident readiness and compliance gaps. Use of AI tools across the business, including data leakage risk and policy gaps. Backup, recovery and disaster-recovery preparedness. Security posture of key vendors, CMOs, CROs and IT suppliers.

Data Protection and Regulatory Exposure. Handling of personal and sensitive data across the organisation — employee, clinical and business — and alignment with core data-protection principles. High-level alignment with GDPR / UK GDPR (transparency, lawful basis, accountability). Review of key documentation: ROPAs, DPIAs, privacy notices, sample policies. Mapping of key data transfers and international flows.

Governance, Accountability and GxP Integrity. Roles, responsibilities and decision-making structures for data protection, data incidents and data use. Interaction between data governance and GxP expectations — including ALCOA+ principles and the governance of computerised systems. Targeted review of key third-party relationships (4–6 CROs, CMOs, vendors or partners).

Eight assessment areas were covered, each at the level of detail an in-house General Counsel, Compliance Officer or board would want to see when making a decision about

prioritisation, remediation or external advice: cybersecurity; governance and accountability; regulatory exposure; GxP and data integrity; third-party data sharing; data protection practices; AI and data governance; and documentation and controls. Senior-led, end to end. Engagement lead: Stanley Konopka, MBA, CCISO — 24 years in technology leadership, including 9 years at Celgene (now BMS) operating across 42 countries, plus CIO/CTO roles at other regulated life sciences organisations. Built IT functions, cybersecurity programmes and compliance frameworks from the ground up — including through IPO and commercial launch.

The Outcome

Board-ready deliverables, designed for action. The output was a focused set of materials the board, investors and acquirers could all read from. No theoretical analysis — the deliverables were structured so the leadership team could make confident, informed decisions and the IT, legal and compliance functions could act on a prioritised remediation plan: a high-level risk summary across cybersecurity, data, governance and AI; identification of key gaps and priority risk areas; practical, prioritised recommendations aligned to business operations; an initial remediation roadmap with quick wins identified; and a board-ready executive summary suitable for investor and acquirer due-diligence packs.

Three jurisdictions in scope (UK, Ireland, UAE). Four to six core functions interviewed. Three to four week delivery timeline. One integrated, board-ready risk view.

From fragmented function-by-function risk to a single, joined-up view leadership can act on — a coherent, risk-rated picture across cyber, AI, data and governance, with prioritised actions and a remediation roadmap that supports both ongoing regulatory compliance and the diligence demands of an exit process.