From GibsonDunn, by Winston Chan, Jonathan Phillips, Gustav Eyler, John Partridge, Christopher Rosina, Carlo Felizardo, and Nicole Waddick:
- The FDA approval process for digital health “cyber devices” requires that premarket submissions contain cybersecurity information, including the company’s plans to address cybersecurity vulnerabilities, processes to provide a reasonable assurance that the devices are cybersecure, a software bill of materials, and other information as the Secretary requires.
- As of October 1, 2023, the FDA expects companies to comply with these new cybersecurity requirements.
- False statements related to these disclosures could give rise to false statements and subsequent risk based on the “fraud-on-the-FDA” theory of liability.
- Companies should take significant care in their statements in premarket submissions regarding their cybersecurity practices and procedures.