Biopharma Board Governance
← All Articles
Board Dynamics & Effectiveness16 min read

Governance During Crisis: Data Fraud, Safety Signals, and Scandal

|Lawrence Fine

Every biopharma board hopes that it will never need to use this playbook. Most do not. But the boards that do find themselves in a genuine crisis — one of the three archetypes that this article addresses — discover quickly that the work is different in kind from the governance they have been practicing in normal conditions. The frameworks that served well in board meetings about clinical strategy and capital allocation do not translate cleanly to the first 48 hours after a safety signal, the first week after a fraud allegation, or the first month after the criminal indictment of a senior executive.

The three categories named in the title — data fraud, safety signals, and scandal — are not exhaustive. Boards can find themselves managing through a major cybersecurity breach, a labor crisis, the sudden death of a CEO, a public dispute with a major investor, or any number of other emergencies. But the three named here are the ones most distinctive to clinical-stage biopharma, the ones that test governance most severely, and the ones for which the boards that handled them well — and badly — provide the most useful reference material.

This article works through each category in turn, draws on documented cases for what worked and what did not, and closes with the principles that apply across all three.

The Safety Signal: Pfizer and Torcetrapib

On December 2, 2006, the independent Data Safety Monitoring Board overseeing Pfizer's Phase 3 ILLUMINATE trial of torcetrapib notified the company's leadership that the trial showed a statistically significant excess of deaths and cardiovascular events in the treatment arm. Eighty-two patients had died in the torcetrapib-plus-atorvastatin group, against fifty-one in the atorvastatin-alone group. The DSMB recommended that the trial be terminated.

What happened next is one of the cleanest examples in modern biopharma of how a safety crisis is supposed to be handled. The DSMB notified the steering committee. The steering committee accepted the recommendation. Pfizer accepted the recommendation from the steering committee on the same day. The company notified the FDA at 4:00 PM Eastern that evening. By the close of the same day, the company had not only terminated the ILLUMINATE trial but had ended the entire torcetrapib development program. All clinical investigators across all torcetrapib trials were contacted with instructions to inform patients to discontinue the study medication immediately. The investment that was being terminated — approximately $800 million by Pfizer's own accounting — represented, at the time, one of the largest single-day write-downs in pharmaceutical development history.

The governance lessons here are worth naming explicitly.

The first is the value of an independent DSMB with real authority. The structural design of the ILLUMINATE trial — independent monitoring, monthly mortality analysis, quarterly outcomes review — was what made the early signal visible at all. A trial in which the sponsor controlled the interim data review would not have produced the same result on the same timeline. The board's role here is upstream of the crisis: it is to insist, at the trial-design stage, that the safety monitoring infrastructure is genuinely independent and genuinely empowered to recommend termination. Boards that have not satisfied themselves about this before a trial is underway are not in a position to benefit from it when the signal arrives.

The second is the discipline of the response itself. Pfizer's leadership did not delay. They did not request additional data. They did not arrange a phased response that would have preserved optionality. They terminated the program in its entirety, notified the regulator the same day, and instructed clinical investigators to stop dosing patients immediately. This decisiveness was costly in the short term — the company's market capitalization absorbed an immediate and substantial hit — and was almost certainly correct. The alternative scenarios, in which the company delayed termination while attempting to characterize the signal more fully, would have produced both more patient harm and more reputational damage.

The third is the role of pre-existing governance architecture. A response of this speed and clarity does not happen by improvisation. It happens because the company had decision rights established in advance, because the DSMB charter specified what would happen if a recommendation of termination arrived, and because senior leadership and the board knew, in advance, that they would accept such a recommendation if it came. The board's most consequential work on safety governance happens long before the signal — in the documents that establish authority, in the conversations that align leadership on what they will do, and in the discipline of not relitigating those agreements when the moment arrives.

Data Fraud: Cassava Sciences

The Cassava Sciences situation evolved over more than three years and offers a different kind of governance reference: an extended-duration crisis in which the board's role was reactive rather than decisive, and in which the eventual resolution came largely from external authorities rather than from internal governance.

The chronology, briefly. In August 2021, a citizen petition was filed with the FDA by a shareholders' rights law firm, alleging research misconduct and data manipulation in the published work supporting Cassava's Alzheimer's candidate simufilam. The company denied the allegations. Independent scientists subsequently identified additional concerns about apparent data manipulation in published studies. In October 2023, Science reported that the City University of New York had concluded that Cassava's scientific advisor, Hoau-Yan Wang, had committed research misconduct involving twenty papers, including foundational work for the simufilam program. In June 2024, a federal grand jury indicted Wang for fraud. In July 2024, the company's founder/CEO/Chairman Remi Barbier and Senior Vice President Lindsay Burns (his wife) resigned. In September 2024, the SEC charged the company, Barbier, and Burns with securities fraud, alleging that Burns had unblinded herself to treatment assignments and removed approximately 40% of patient data to construct a misleadingly positive subset of Phase 2b results. The company settled for $40 million; Barbier accepted a three-year officer/director bar; Burns accepted a five-year bar. In November 2024, the Phase 3 trial failed to demonstrate clinical benefit on its primary endpoint, and the simufilam program was discontinued.

The governance pattern here, viewed retrospectively, is one in which the board's role was structurally limited throughout. The CEO was also the founder, the chairman, and a major shareholder. His spouse was a senior executive and a co-inventor on the contested research. The scientific advisor under investigation was a long-standing collaborator whose work the company had built upon for over a decade. The configuration was one in which the people whose conduct was in question were the same people who controlled the company's information flow, and the independent directors were operating in an environment in which they had limited capacity to verify what was being represented to them.

This is the crisis category in which boards most often fail not at the moment of crisis but at the moment of architecture. The board's exposure to a fraud crisis is determined years in advance, by decisions about board composition, by the independence (or lack thereof) of senior management from the scientific work in question, by the quality of the audit committee, and by the willingness of the board to engage seriously with outside criticism when it first arrives. Boards that have built genuine independence into the governance structure have substantially more capacity to act when the moment arrives. Boards that have allowed governance to be coextensive with founder-management have very little.

For boards that find themselves in the early stages of a fraud allegation — a citizen petition, a scientific critique, anonymous concerns surfaced on PubPeer or in the financial press — several governance moves are worth considering immediately, regardless of whether the allegations ultimately prove valid.

The first is to constitute an independent investigation. The investigation should be conducted by counsel and forensic specialists with no prior relationship to the company, reporting directly to a special committee of independent directors. The cost of doing this when allegations turn out to be unfounded is modest. The cost of not doing it when allegations turn out to be substantiated is severe — and includes the loss of the legal protection that an independent investigation conducted in good faith would have provided.

The second is to ensure that the company's external communications do not foreclose later corrective action. Companies under fraud allegations often respond with categorical denials issued before any independent review has been conducted. These denials become problematic when later information suggests the underlying concerns had merit. Boards should be active participants in shaping the tone of these communications, and should resist management's natural impulse to characterize the allegations more dismissively than the available facts warrant.

The third is to monitor the trial itself as a separate governance matter. If the allegations bear on the integrity of clinical trials that are currently enrolling patients, the board's obligations to those patients run independently of its obligations to the company's commercial interests. The audit committee, the medical monitor, and the DSMB should be engaged on the integrity question directly. A board that defers entirely to management on this question — particularly when management is itself implicated — is failing in a fiduciary obligation that the standard governance frameworks do not always make explicit.

Scandal: Insys Therapeutics

The Insys Therapeutics case sits in a different category from both torcetrapib and Cassava. The crisis was not a safety signal that emerged from a trial. It was not a data integrity allegation about scientific work. It was the systematic and ultimately criminal commercial conduct of a company whose lead approved product — Subsys, a sublingual fentanyl spray approved for breakthrough cancer pain — was being aggressively marketed for off-label use through an institutionalized scheme of bribes and kickbacks to prescribing physicians.

The relevant chronology is well documented. The company was founded by John Kapoor, who served as its founder, Executive Chairman, and a controlling shareholder. Subsys was approved in 2012. Federal investigations into the company's commercial practices intensified through the mid-2010s. Kapoor was arrested in October 2017. On May 2, 2019, a federal jury in Boston convicted Kapoor and four other former Insys executives — including a former Vice President, a former National Director of Sales, and former Regional Sales Directors — of racketeering conspiracy. Kapoor was the first chief executive of a pharmaceutical company to be convicted at trial in connection with the opioid crisis. On January 23, 2020, he was sentenced to 66 months in prison and a $250,000 fine. The company filed for bankruptcy in June 2019.

The governance question that Insys raises is not how the board responded to the crisis. By the time the crisis was visible externally, the underlying conduct had been ongoing for years. The governance question is how the board allowed a culture in which that conduct was possible to develop and persist, and what an independent director on that board could or should have done at any of the multiple earlier moments at which the underlying practices were visible internally.

The honest answer is that the structural conditions for governance to function were largely absent. The founder was also the executive chairman. The sales organization reported to leadership whose compensation was tied to volume produced by the misconduct. The company's culture rewarded the behaviors that were ultimately prosecuted. An independent director attempting to surface concerns into this environment would have been attempting to govern a company that did not, in any meaningful sense, accept governance.

This is the version of crisis that boards most often miss until it is too late to act, because it does not announce itself in the way that a safety signal does. There is no DSMB recommendation, no citizen petition, no specific event that forces a board response. The misconduct is operational, distributed across the organization, and invisible to directors who are not actively looking for it.

The governance implication is that boards in commercial-stage biopharma — particularly in therapeutic areas with high abuse potential or aggressive sales cultures — owe themselves a level of operational scrutiny that goes beyond what the standard board materials provide. The audit committee should engage directly with the company's compliance function, not merely review the compliance officer's quarterly report. The independent directors should have access to whistleblower channels that do not flow through management. The board should ask, with some regularity, what the company is doing that it would not want to read about in the press, and treat the management response as a substantive matter for board engagement rather than as a perfunctory disclosure question.

None of these practices guarantee that a board will detect institutionalized misconduct before it becomes a crisis. But the difference between a board that has built this infrastructure and a board that has not is the difference between having a chance of detecting the problem and having essentially no chance at all.

The First 48 Hours

Across all three categories, the first 48 hours after a crisis becomes visible to the board are disproportionately consequential. A few principles tend to distinguish well-handled openings from poorly-handled ones.

The first is that the board chair, or lead director, takes operational charge of the governance response. This does not mean displacing the CEO from operational decision-making. It means that the board's own response — its own information flow, its own deliberation, its own communication — is run by an identified director rather than allowed to develop ad hoc. In safety crises, this is often the chair of the audit committee or a designated scientific director. In data integrity crises, it is often the chair of a newly constituted special committee. In scandals, it is often the lead independent director.

The second is that an emergency board meeting is convened, in person if possible, within a defined window — typically 24 to 72 hours. The meeting is held with management present for the substantive briefing, then in executive session without management for the board's own deliberation. The board's deliberation, separate from management, is the point at which the board's collective judgment can be formed without filtration, and it is often the moment at which the most important governance decisions of the crisis are made.

The third is that the board immediately constitutes the right substructure for the crisis. In a safety crisis, this typically means engaging directly with the DSMB and the medical monitor. In a data integrity crisis, it means constituting a special committee of independent directors with authority to retain independent counsel and forensic specialists. In a scandal, it means engaging white-collar criminal defense counsel and assessing the company's compliance function as a board matter rather than a management matter. Each of these substructures requires decisions that the board cannot defer.

The fourth is that the board exercises judgment about communication architecture before any external statement is made. Who speaks publicly — the CEO, the board chair, both, or external counsel — is a decision with implications that often outlast the crisis itself. The instinct to defer the question, or to allow it to be resolved by communications staff, should be resisted. The board's posture in the first public statement of a crisis tends to set the trajectory for everything that follows.

What These Crises Share

Across the three archetypes, several principles recur with enough consistency to be worth naming.

Governance during crisis is fundamentally a question of governance before crisis. The boards that handle crises well are the boards that have, over time, built the architecture — the DSMB independence, the audit committee engagement, the whistleblower infrastructure, the special committee precedents — that allows them to act quickly when the moment arrives. The boards that handle crises badly are the ones that find themselves trying to build that architecture in the first 48 hours, which is too late.

The information asymmetry between management and the board is at its greatest during crisis. In normal conditions, the board's reliance on management for information is a manageable feature of the governance relationship. During crisis, that reliance becomes a vulnerability, because the management team is itself under stress and — in some cases — implicated in the events under review. Boards that have not built independent information channels in advance find that they cannot build them quickly enough to use them in real time.

External counsel, forensic specialists, and crisis communications advisors should be engaged early rather than late. The cost of engaging these resources and discovering that the crisis is smaller than initially feared is modest. The cost of not engaging them and discovering that the crisis is larger is severe. Boards that hesitate at this decision — typically out of cost sensitivity or concern about signaling that the situation is grave — almost always regret the hesitation afterward.

The board's posture toward the CEO during the crisis warrants explicit attention. In a safety crisis like torcetrapib, the CEO and the board are working as a unit against an external problem. In a data integrity crisis or a scandal, the CEO may be the source of the problem, and the board must develop a posture that acknowledges this possibility without prejudging it. The transition between these two modes is one of the most difficult things a board has to manage, and it is often handled badly because directors are reluctant to make the shift even when the evidence supports it.

A Closing Note on the Pillar

This article concludes the series on Board Dynamics & Effectiveness, the fourth pillar of biopharmagovernance.com. The eleven articles in this pillar have worked through the structural and cultural foundations of board work in clinical-stage biopharma — from the basic tensions between investor and independent directors, through CEO evaluation and succession, through the politics of small boards, through founder-CEO dynamics, through the building of cultures of constructive dissent, and finally to the moments when the work of years is tested by genuine crisis.

The throughline across all eleven articles, if there is one, is that the quality of biopharma governance is determined less by the formal structures it adopts than by the substantive practices it builds and maintains over time. The right structures matter. But the boards that consistently produce good outcomes for their companies, their employees, and their patients are the ones that treat governance as substantive work in itself — and that build the cultural, structural, and individual capacity to do that work even when, especially when, the situation makes it difficult.

In clinical-stage biopharma, where the consequences of governance success and failure are absorbed not only by shareholders but by the patients enrolled in trials, that work is worth the investment it requires.

Lawrence Fine is CEO of AGCP Farmacêuticos and has direct biopharma board experience through Phase II clinical trials and successful exits.

Continue Reading

Board Dynamics & Effectiveness13 min read

Building a Culture of Constructive Dissent in the Boardroom

Groupthink is the silent killer of biopharma boards. Building a culture where honest disagreement is normal is one of the most consequential governance investments a board can make.

Board Dynamics & Effectiveness12 min read

Founder-CEO Dynamics on Venture-Backed Boards

When the scientific founder is also the chief executive, the board faces a distinctive set of governance challenges. The standard playbook does not quite fit.

Board Dynamics & Effectiveness12 min read

When the Board Needs to Replace the CEO Mid-Trial

The governance process for the hardest leadership decision a biopharma board will ever make — and how to execute it without destroying the company in the process.

Stay Informed

Governance insights delivered to your inbox. No spam.