Endo International plc - (ENDPQ)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity
The Company has procedures and safeguards designed to detect and/or prevent unauthorized access to confidential information and defend against cyber-attacks, both internally and with the assistance and partnership of cybersecurity experts, with a view toward addressing the ever-evolving threat landscape and changing cybersecurity regulations. As part of its role in risk oversight, the Audit & Finance Committee of the Company’s Board (Audit & Finance Committee) reviews the Company’s program for managing information security risks, including data privacy and data protection. Our cybersecurity framework, which is based on the National Institute of Standards and Technology Cybersecurity Framework, includes risks and controls embedded into our processes and technology, and measured and monitored by cybersecurity subject matter specialists. All employees and contractors with access to our Company’s systems must also complete mandatory comprehensive cybersecurity trainings periodically and participate in simulations which are deployed to educate and prepare users for cyber-attacks and similar risks.
Under the direction of the Chief Information Officer (CIO), who reports to the Company’s Chief Executive Officer, and Chief Information Security Officer (CISO), who reports to the CIO, as well as certain other cybersecurity focused team members (the IT Security team), the IT Security team is responsible for addressing the dynamic threats against our electronic systems and assisting the workforce with handling system incidents, including by centralizing the reporting, detection and response to incidents to one functional team. The CIO and CISO have multiple decades of relevant IT experience. Incident management and response processes establish the recommended organization, actions and procedures needed to recognize and respond to an incident; assess the situation quickly and effectively; notify the appropriate individuals and organizations about the incident; organize the Company’s response activities, including activating a command center; escalate the Company’s response efforts based on the severity of the incident; and support the business recovery efforts being made in the aftermath of the incident. Additionally, third-party security experts are regularly engaged to monitor, assess, review and analyze the information technology landscape. The Company’s incident response framework also defines the roles with respect to cybersecurity risk oversight and assigns responsibility to the IT Security Team. The IT Security team members have: (i) completed extensive cybersecurity training; (ii) have experience assessing cybersecurity incidents; (iii) actively participate in industry and government forums; and iv) collaborate with our peers to understand and improve cybersecurity intelligence, vulnerability management and defense strategies.
Our internal audit team performs audits of our information systems and network security. The audit scope, timing and frequency of our cybersecurity control framework is integrated into the Company’s overall risk management process and the planning for, and results of, those audits are reviewed with the Audit and Finance Committee.
We regularly assess and monitor our cybersecurity risks and incidents and report them to our senior management and Audit and Finance Committee. Our Audit and Finance Committee oversees our cybersecurity strategy and governance and reviews our cybersecurity policies and practices on a periodic basis. Additionally, and as further discussed above, the Audit and Finance Committee is briefed multiple times a year or as needed by the CISO and/or CIO and, if applicable as determined by the Company’s senior leadership, external advisors on the current and emerging cybersecurity threats and trends and the effectiveness of our cybersecurity controls and response capabilities.
We conduct due diligence security assessments of certain third-party providers before engagement, have contractual rights to and gather data on the effectiveness of vendor systems and protocols and monitor compliance with our cybersecurity standards. The monitoring includes periodic assessments and ongoing monitoring by the IT Security team. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties.
To date, cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected the Company, including our business strategy, results of operations, or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents, of which we are aware, are reasonably likely to materially affect the Company. Refer to “Our operations could be disrupted if our information systems fail or are not upgraded or are subject to cyber-attacks” in Part I, Item 1A of this report for additional information on risks from cybersecurity threats.