Emergent BioSolutions Inc. - (EBS)

10-K Filing Date: March 08, 2024
ITEM 1C. CYBERSECURITY
CYBERSECURITY
The Company’s cybersecurity program is aligned and integrated into the overall company risk management process through its Enterprise Risk Management Program ("ERM"). At Emergent, ERM is a centralized process that prioritizes, and groups the top risks to our organization into 12 categories, one of which is Cybersecurity. We conduct an Enterprise Risk Assessment ("ERA") annually to proactively identify, assess, respond, monitor, and report risks to our enterprise. Identified risks are assessed and we accordingly will either accept the risk or take action to reduce or avoid the risk. Mitigations against risks are developed, as necessary, and all risks are monitored, reviewed quarterly, and reported to executive leadership and the Board of Directors.
The ERM program and ERA process is described in the company’s Enterprise Risk Management Policy which was released this year. The program includes enterprise level risks grouped in 12 risk categories. Cybersecurity is included as a standing risk category. The ERM program does not itself independently review cybersecurity policies and practices. In first quarter 2024, ERM, in collaboration with Emergent’s Policy and Training Center of Excellence, provided training on Emergent’s Enterprise Risk Management Policy to all employees who are at the vice president level and above. We are currently working on an all-employee awareness communication to further educate the full employee population about the ERM program, policy and intranet page. Timing for this communication is expected in first half of 2024. Annually, an ERM training will be provided to all participants in advance of the Company's annual ERA. Full retraining on the ERM policy will occur every three years. The Company leverages the Committee of Sponsoring Organizations’("COSO") guidelines as the foundation for our ERM program and leverage external expertise.
The Company proactively reviews threats landscape, impacts to the company, and address any gaps where necessary. Also, we maintain security operations metrics, incident response plan and conduct tabletop exercises. The Company engages outside consultants to review both its Cybersecurity posture, and maturity, and perform for a cyber assessments of the Company’s manufacturing/operational technology environments. The Company has a process in place to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider, namely its Third-Party Risk Management Assessment Process. We utilize the NIST framework when assessing third parties. The framework covers 23 categories. When applicable, we may request if the third party vendor is SOC1/2, GDPRS, certified.
The Company’s Chief Information Security Officer (“CISO”) is responsible for assessing and managing the Cybersecurity risks with comprehensive oversight of information security functions with an emphasis on strategic leadership, governance, risk management and technical proficiency. Moreover, the Company’s CISO provides cyber security updates to the entire board of directors and the board's Quality Compliance Management Risk Committee (the "Committee"). The purpose of the Committee is to assist the Board in fulfilling its oversight responsibilities relating to the Company’s compliance with laws, regulations, and industry standards that, if breached, may cause significant business, regulatory, or reputational damage to the Company, including oversight of the Company's:
Compliance with good (“x” = manufacturing, clinical, laboratory, pharmacovigilance, storage, distribution etc.) (GxP) and medical device Quality Systems Regulations (QSR);
Healthcare compliance, anti-corruption, privacy and data security landscape, medical product safety, supply chain, employee health and safety, political expenditures and lobbying activities, and government contracting;
Enterprise Risk Management program;
Cyber and information security risks.
The Committee is the primary oversight body to monitor the Company’s cybersecurity and related information technology risks and receives periodic updates from Company management (including, the Chief Information Officer and the CISO) on the Company’s policies, processes, procedures, and any significant developments related to the identification, mitigation, and remediation of cybersecurity risks. The Chair or Vice-Chair of the Committee meet as necessary with the Chief Information Officer and the CISO to engage in a more detailed review of the Company’s cybersecurity and information security activities. The Committee charter also requires that the Committee ensure that Company management provides an annual cyber and information security update to the full Board. Current Committee members are: Zsolt Harsanyi, Ph.D., Sujata Dayal and Kathryn C. Zoon, Ph.D., all of whom are independent directors.
56


The Company's CISO is a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM), and is certified in Risk and Information Systems Control® (CRISC). The CISO reports to the Quality Compliance Management Risk Committee twice per year and also reports to the Board twice per year.
The Company has not incurred material cybersecurity incidents over the past three years The Company is not aware that any risks from cybersecurity threats, including because of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. The Company proactively reviews threats landscape, impacts to the company, and address any gaps where necessary. Also, we maintain security operations metrics, incident response plan and conduct tabletop exercises. In addition, the Company has:
Managed Security Service Provider (MSSP) that maintains 24 hours per day, 7 days per week, monitoring of the Company's environment;
Formed partnership with Cybersecurity Infrastructure Security Agency (CISA), to monitor the Company's external traffic and external facing web environment;
Performed an internal red campaign;
Been audited by internal and external auditors.
57