An April cyberattack has caused Evotec to revise downward its financial guidance and expectations from unpartnered R&D efforts.
The German biotech previously expected 820 million to 840 million euros ($900 million to $921.8 million) for 2023 group revenues, but the range has now been updated to 750 million to 790 million euros ($823 million to $867 million), according to a Thursday press release. Unpartnered R&D has been revised from 70 million to 80 million euros ($76.8 million to $87.8 million) while EBITDA has been pushed down from 115 million to 130 million euros ($126 million to $142.7 million) to 60 million to 80 million euros ($65.8 million to $87.8 million).
Evotec announced that systems had been taken offline by a cyberattack in April. This led to a drop in productivity throughout the entire second quarter, according to today’s update. Things started off well in the first quarter for Evotec, with revenues exceeding 210 million euros ($230.4 million) and 30% growth, showing that “underlying business dynamics in a challenging environment are intact,” according to the company.
Evotec had to take swift action in response to the attack, taking all external-facing systems offline to protect the company’s partners and “ensure that integrity of scientific data remained unaffected,” according to Thursday's press release. Partners include Johnson & Johnson unit Janssen Pharmaceuticals, Takeda and Sanofi.
Operations were re-started at the end of April and productivity reached 50% in May, rising to 80% in June.
The company still expects to make 370 million euros ($406 million) in revenue this half, due in part to the nature of Evotec’s long-term collaborations. The company said part—but not all—of the missed 70 million euros ($76.8 million) should be possible to make up in the remaining half of the year.
Evotec spent about 25 million euros ($27.4 million) responding to the cyberattack, which are one-off costs. But the company plans to take other steps to bolster its IT infrastructure “to build a better, safer, and even more efficient organization for the future.”
Helping to mitigate the disruption are two partnerships with Sandoz and Bristol Myers Squibb, the company said.
Evotec’s cyberattack nightmare is a cautionary tale for other biopharmas. Eisai was hit with a ransomware attack in June and Novartis was a victim last year. A 2021 report from the U.S. government found that healthcare was the industry highest-hit by cyberattacks, accounting for nearly a quarter of events in 2020.