Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because ransomware actors have already demonstrated capability and intent by successfully encrypting systems and exfiltrating data across West Pharma's global operations — this is a confirmed incident in progress, not a theoretical exposure. Impact is very_high because West Pharma is a critical-path manufacturer of injectable drug delivery components embedded in pharmaceutical customers' production supply chains; system shutdowns directly threaten downstream drug manufacturing continuity, and the SEC 8-K Item 1.05 material disclosure creates concurrent investor, regulatory, and reputational consequences at enterprise scale.
Treatment rationale: Active system encryption and confirmed data exfiltration require immediate containment, recovery, and control reinforcement — the risk cannot be transferred (no coverage backstops operational shutdown at this scale), accepted (material disclosure obligations are already triggered), or avoided (the attack is underway), making mitigation the only viable primary treatment.
Third-Party / Supply-Chain Risk
West Pharmaceutical Services is a concentrated, single-source supplier of pharmaceutical packaging and injectable drug delivery systems to a broad base of pharmaceutical manufacturers. Under NIST SP 800-161, this represents a critical-tier third-party dependency: any pharmaceutical customer organization that has not mapped West Pharma as a critical supplier, assessed alternate sourcing, or stress-tested single-source dependencies in their supplier risk program now faces unplanned supply continuity exposure. Organizations should immediately assess inventory buffers, identify qualified alternate suppliers, and activate supplier-incident escalation protocols per their third-party risk management program.
Loss Exposure (illustrative)
Magnitude: Very high — illustrative $50M–$500M+ range for West Pharma directly; illustrative $1M–$50M+ per significantly affected pharmaceutical customer depending on inventory buffer depth and production dependency
Frequency: This is a realized event, not a frequency estimate; for peer organizations in critical manufacturing or pharmaceutical supply chain, ransomware incidents of material severity are occurring at a rate that makes annual exposure planning appropriate
Annualized: Insufficient basis for ALE framing at West Pharma directly given the incident is active and scope is unconfirmed; for dependent pharmaceutical customers, annualized supply-disruption loss exposure should be modeled against single-source supplier concentration as an input to third-party risk quantification exercises
Basis: West Pharma range is derived from: global operational shutdown across a multi-facility manufacturer (operational loss), SEC material disclosure (regulatory response costs, litigation exposure, investor remediation), ransomware recovery and forensic response at enterprise scale, and potential customer indemnification or contractual liability — no third-party benchmark reports cited. Customer-facing range is derived from: production delay costs for injectable drug delivery systems (high-value, regulated products), emergency sourcing premium, and regulatory exposure from drug supply disruption — all illustrative and organization-specific.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed data exfiltration may invoke cyber-insurance first-party loss provisions (business interruption, data recovery, ransomware response costs) — verify scope, sublimits, and notice deadlines with broker immediately.
• Exfiltrated data may include employee PII, customer data, or regulated health-adjacent information that could invoke state and federal breach-notification obligations — verify applicability and notice timelines with counsel.
• SEC 8-K Item 1.05 material disclosure filing may trigger D&O insurer notice obligations — verify with broker and counsel.
• Pharmaceutical customer contracts with West Pharma may contain supply continuity, data-handling, or breach-notification clauses that West Pharma is now potentially in breach of — affected customers should review vendor agreements and escalate to counsel.
• If West Pharma holds, processes, or transmits data subject to HIPAA business associate relationships, BAA obligations and HHS notification requirements may be implicated — verify with counsel.