The London-based device developer disclosed the cybersecurity incident in a Securities and Exchange Commission filing this week, saying the incident disrupted portions of its information technology systems and business operations.
“Promptly after detecting the issue, the company began an investigation with assistance from external cybersecurity experts and is coordinating with law enforcement,” LivaNova said in the filing. “The company continues to assess what information and systems were impacted and is executing its incident response plan, including implementing remediation measures to mitigate the impact of the incident.”
“The company has and will continue to take actions to remediate the issue, such as taking certain systems offline,” the company continued.
LivaNova said it expects continued disruption of its operations, and can’t yet determine “the extent of the impact from such event on its business, results of operations, cash flows or financial condition.”
Earlier this year, the SEC launched new regulations requiring publicly traded companies to disclose cybersecurity incidents within four days of determining that they are material events. (These regulations are different than the FDA’s new cybersecurity requirements for developers and manufacturers of cyber devices.)
However, LivaNova did not report its incident under the particular SEC filing (Form 8-K, Item 1.05) for material cybersecurity events.
LivaNova is one of the world’s largest medical device companies, coming in at No. 72 on Medical Design & Outsourcing‘s latest Medtech Big 100 ranking of the largest device manufacturers by revenue. The company develops and manufactures cardiac surgery and neuromodulation devices.
In October, another Medtech Big 100 company — Henry Schein — became the first major medtech company to report a cybersecurity incident after the passage of the new SEC rules. Henry Schein has said the cyberattack and data breach will likely result in a year-over-year sales decline instead of previously projected growth.