West Pharmaceutical Services, a NASDAQ-listed S&P 500 manufacturer of injectable drug delivery systems supplying major pharmaceutical companies globally, filed an SEC Form 8-K on 13 May disclosing a material cybersecurity incident in which threat actors encrypted company systems and exfiltrated data. The filing represents one of the first post-CIRCIA material incident disclosures from the pharmaceutical manufacturing sector and illustrates the new regulatory landscape governing breach notification for listed companies.
The Incident
West Pharmaceutical Services produces stoppers, closures, and prefillable systems for injectable pharmaceuticals. The company confirmed that threat actors gained access to its IT environment, moved laterally to manufacturing and quality management systems, exfiltrated data including manufacturing specifications and quality control documentation, and then deployed ransomware to encrypt affected systems.
Production at certain facilities was disrupted while isolation and recovery procedures were executed. The company stated that it has engaged a forensic incident response firm and notified law enforcement. The identity of the ransomware group was not confirmed in the 8-K but the FBI has attributed similar attacks on pharmaceutical manufacturers to ransomware-as-a-service affiliates operating under the Akira and LockBit successor brands.
Regulatory Significance
The 8-K disclosure was filed under the SEC’s cybersecurity disclosure rules, which require publicly traded companies to report material cybersecurity incidents within four business days of determining materiality. This determination — whether an incident is “material” — has become a significant legal and operational question for security teams at public companies.
West Pharmaceutical’s disclosure noted:
- The company “cannot determine at this time the full scope or impact” of the exfiltrated data
- Manufacturing disruption may affect the company’s ability to fulfil orders in the near term
- The incident “may have a material adverse effect on the company’s results of operations”
The filing also acknowledges obligations under DORA for its European operations and notes FDA reporting obligations given that the affected systems support drug manufacturing quality processes.
Why It Matters for Security Leaders
The West Pharmaceutical incident is significant as a governance reference point: a manufacturing company has publicly disclosed that ransomware reached its quality and manufacturing systems, not just administrative IT. This demonstrates that the IT/OT boundary is increasingly a legal and regulatory issue, not just a technical one — exfiltration or encryption of manufacturing process data can constitute a material event requiring board-level response and public disclosure.
Security leaders at public companies, particularly those in regulated industries, should review:
- Their materiality determination framework: what constitutes a “material” cybersecurity incident and who makes that determination
- The timeline from detection to SEC notification (four business days from materiality determination — not from detection)
- Whether their cyber insurance coverage includes regulatory reporting costs and third-party liability arising from customer data exposure
Recommended Actions
- Governance: Confirm your organisation has a documented materiality determination process for cybersecurity incidents involving your legal, finance, and security leadership. The determination must be made within days, not weeks.
- Manufacturing/OT scope: Assess whether your IT incident response plan addresses the scenario of ransomware reaching manufacturing or quality systems — these have different recovery requirements than standard IT.
- SEC/CIRCIA obligations: If your organisation is publicly listed or operates critical infrastructure, review current SEC cybersecurity disclosure rules and the CIRCIA reporting timeline. Obligations in both frameworks have tightened since 2025.
Share this article