Exclusives

Cybersecurity Risks Discussed at Roundtable on Remote Regulatory Assessments

Information-sharing at voluntary, remote inspections can be valuable, but must guard against cyber threats.

Since the onset of the COVID-19 pandemic, up until recently, the U.S. Food and Drug Administration has been restricted in the kinds of auditing activities it undertakes among food and supplement firms and their facilities.
 
One key adaptation the agency made in March 2020 was piloting a Remote Random Assessment (RRA) program, a voluntary assessment the agency offered to specific manufacturers in the food, beverage, and supplements industry. While not an official audit, the program allowed FDA inspectors to prioritize issues to investigate in an official capacity at a later date. At the start, these remote assessments also served as a way for food manufacturers to better prepare for future audits, as well as demonstrate corrective actions from previous audits have been taken.
 
“The information that can be gleaned from these activities is incredibly valuable,” said Priya Rathnam, director of field programs and guidance in the FDA Office of Compliance, during a roundtable discussion hosted by the Consumer Brands Association. “It can aid in our prioritization efforts, enhance our information about risk assessments, and help us to better target areas that make the most sense from a public health perspective.”
 
Adapting the Program
As a pilot program, the RRA model is still very much in development. Both FDA officials and industry stakeholders present at the roundtable discussion on July 14 said that, thus far, industry members have been able to dialogue with inspectors during the voluntary RRA process to create a mutually beneficial process for the agency and participating companies.
 
“While nothing in the RRA rises to the gold standard level of an in-person inspection, there is valuable information all of which is given to us in a voluntary manner,” said Michael Rogers, assistant commissioner for human and animal food operations, FDA.
 
So far, the agency has looked to firms that have had a good compliance history during the RRA pilot, and prioritized the confirmation of records such as training certifications. “People asked us about the purpose or the benefit of the RRA,” said Rogers. “We think the incentive is that we can have a memo of prior investigation, and use a platform to dialogue with firms as they show us records.” Some stakeholders, he added, told the agency they could benefit if an RRA approach was used on the front end of a Tier 1 or Tier 2 inspection, in order to save time during audits.
 
While CPG manufacturer Post Holdings did not have any corrective actions to verify with FDA, the company participated in order to be an active participant in piloting the RRA program, and found that it served as an opportunity for mutual mentorship, said Maureen English Carroll, associate general counsel for Post Holdings. “We sent reams of documents that would have been too difficult for an RRA, but were able to work with the agency to come up with a process that would work for an inspection-type activity after two weeks.”
 
“General Mills has participated in multiple inspection pilots,” said Courtney Bidney, director of global regulatory affairs & international nutrition at General Mills. The company conducts its own audit of pilot programs to assess performance and ensure they work as designed. “These pilots showed us the importance of a two-way dialogue throughout the inspection process to answer inspector’s questions along the way, allowing inspections to be focused on much more critical areas. We participated in the RRA, and verified previous corrective actions in what proved to be an efficient and effective way.”
 
For Mondelez Global, having the ability to go over specifics in advance with inspectors was a major time-saver for a future on-site inspection, according to Heather McIntyre, senior quality leader. “Introducing the chance for dialogue outside of an on-site inspection was a big start to this journey, but as this is a pilot, flexibility is key. We were open to sharing some documents electronically, but I’m sure our preferences differed from other companies; each company will have its own nuances and preferences.”
 
While PepsiCo didn’t participate in an RRA, Michael Freeman, global food safety at the company, said that during its time in Tier 1 and Tier 2 pilot inspections, the company benefited greatly from the ability to engage in detailed communication with inspectors, especially given the scale of its supply base and the fact that it still uses a paper-based system to mitigate cybersecurity risk.
 
“Our subject matter experts were able to speak directly with the FDA on our large supply base, and we gained confidence in hearing FDA inspectors say that they completed in half a day what they thought would take two days,” Freeman said. “It was nice to see an opportunity area for remote tech […] but we need to realize that this needs to remain voluntary, and that organizations have a choice, because of the unique challenges that each company may have.”
 
Freeman added that the old model of FDA inspectors simply picking up documents to review later is no longer viable, given how much more complex food processing has become. “Companies have a huge part in explaining operations clearly so investigators can properly assess a facility, and complete the regulatory mission they’ve come to do.”
 
Cybersecurity: A Big Concern
Among the industry spokespeople at the panel discussion was an overwhelming concern that the RRA process would need to involve serious cybersecurity measures, and a continued assumption that all documents shared would need to be done on a purely voluntary basis in order to protect crucial trade secrets.
 
“Security is something to talk in depth about, and is something incredibly important for us. It was definitely a struggle in setting up how we were going to do this, and we don’t take security aspects lightly,” Carroll said. “We need to make sure an inspector is who they say they are, and what kind of documents we’re going to share in order to protect the confidentiality and integrity of documents. We think about trade secrets a lot, and spend a large amount of our energy on preserving them.”
 
Referencing a ransomware attack on meatpacker JBS, which resulted in the company paying $11 million to hackers in order to resume its supply chain operations, Carroll said there is much to learn and much we can’t anticipate about the sort of cybersecurity threats manufacturers may face in the future.
 
Freeman added that for this process, a company’s IT department ought to be involved early and often in a potential RRA process in the near future.
 
Shortly after the start of the RRA pilot, the Association of Food and Drug Officials developed an application specifically built for RRAs in order to enhance security for document-sharing, called Secure Document Transfer. According to Patrick Kennelly, program director, the app has an array of privacy controls, such as limitations on document sharing, screenshots, read-only options, password protection, and more.
 
Ultimately, inspectors are also responsible for protecting documents from unauthorized access. “There’s a great deal of security policy within government agencies, and this product isn’t intended to be a mechanism to collect documentation via photos or screenshots. Inspectors are still obligated to deal with egregious issues not within a remote review, but within an in-person inspection of a facility,” Kennelly said.
 

Keep Up With Our Content. Subscribe To Nutraceuticals World Newsletters