Mallinckrodt plc - (MCKPF)
10-K Filing Date: March 26, 2024
Item 1C.
Cybersecurity.
We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners to conduct key operations across our enterprise.
Cybersecurity Program
We have worked to develop our cybersecurity program to protect the confidentiality, integrity, and availability of systems and data. We have implemented administrative, technical, and physical safeguards that we believe are appropriate to the size and complexity of our business and the nature and scope of our activities. We evolve our cyber defenses to help minimize impacts from cyber threats to safeguard our assets and data.
Our program includes a number of safeguards. These safeguards include processes for endpoint security (such as anti-malware and endpoint detection and response tools), network security (such as firewalls, intrusion detection systems, and filtering), and vulnerability management (such as vulnerability scans and patch management). Applicable personnel are provided cybersecurity awareness training and receive periodic awareness through ad hoc communications on security topics, including how to report suspicious activity or potential incidents. However, vulnerabilities or threats identified through our cybersecurity program may take time to remediate or mitigate.
We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider and performing additional risk screenings and procedures, as appropriate. We have established a third-party risk management program that includes a formal vendor and cloud security policy and processes to conduct diligence on applicable vendors, including thorough questionnaires and
61
additional documentation. Cybersecurity controls language may be included in third-party service provider contracts, and if applicable, this language is designed to be tailored to the use case and sensitivity of any data or business processes involved.
Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
To assess, identify, and manage potential cybersecurity threats, our Security Operations Center ("SOC") team works in conjunction with a third-party managed security service provider to monitor systems and threats, including those on systems managed by third-parties, such as cloud platforms.
In the event of a potential or actual cybersecurity incident, we maintain an incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. We maintain a Cybersecurity Incident Response Plan ("IRP") and business continuity and disaster recovery plans in the event of a significant cybersecurity incident or disruption. The IRP is tested using tabletop exercises.
Governance
Management Oversight
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by a team that includes our Chief Information Security Officer ("CISO"), who reports to our VP of Information Systems. The CISO is supported by a SOC team, an Incident Response Manager, a Governance Risk and Compliance Manager, and cybersecurity architects. These individuals and groups are responsible for the day-to-day management of our cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and are regularly engaged to help ensure our cybersecurity program functions effectively in the face of evolving cybersecurity threats. The individuals involved generally have significant experience in cybersecurity and related information technology, including responding to incidents and developing security policies, with our three most senior leaders having an average of 25 years of experience in cybersecurity.
In addition to the day-to-day management of these risks, we hold a monthly meeting of an Information Risk Committee, which is comprised of representatives from our legal, human resources, compliance, and information technology departments. On a quarterly basis, we also hold a meeting of our Executive IT Steering Committee, which is comprised of members of the executive leadership, so that they can receive regular briefings on cybersecurity matters, including threats, events, and program enhancements.
Board Oversight
Our full Board of Directors provides oversight for our cybersecurity program. At least annually, the CISO and the VP of Information Technology report to the Board of Directors on information technology, cybersecurity and information security-related matters, including relevant business activities, key risks and mitigation efforts, prior incidents, results of assessments and monitoring, and the potential impact on the Company’s business.
Cybersecurity Risk Management and Strategy
Our cybersecurity risk management processes are integrated into our overall business risk management program. As part of our risk management program, we identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. As part of risk management processes, we maintain cybersecurity insurance that provides coverage for certain costs related to cybersecurity-related incidents. However, the amount or type of coverage may not be sufficient to address costs for handling an incident, or future changes may occur to insurance coverage.
As of December 29, 2023, we are not aware of any risks from cybersecurity threats, including from previous cybersecurity incidents, that materially impacted the Company's strategy, operations, or financial condition in the last three years. However, we have been the target of previous cyber attacks and anticipate we will continue to face risks of incidents through various types of attacks, including those using sophisticated techniques and evolving technologies such as artificial intelligence. Although we make efforts to maintain the security of our systems and data, we are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third-party vendors, will prevent breakdowns or incidents to our or our third-party vendors’ systems that could adversely affect our business. For further discussion, see the risk factor captioned "Our business depends on the continued effectiveness and availability of our information technology infrastructure, and failures of this infrastructure could harm our operations" included within Item 1A. Risk Factors of this Annual Report.
62