OPKO HEALTH, INC. - (OPK)

10-K Filing Date: March 01, 2024
ITEM 1C.   CYBERSECURITY.

 

Overview

 

OPKO Health, Inc. (“OPKO” or the “Company”) is committed to the highest standards of cybersecurity, adhering to the SEC's definitions for 'Cybersecurity Incident,' 'Cybersecurity Threat,' and 'Information Systems.' Our focus is on safeguarding our digital infrastructure and sensitive data against unauthorized access and threats.

 

Risk Management and Strategy

 

 

1.

Risk Assessment and Management: OPKO employs rigorous assessment and management of cybersecurity risks, aligning with NIST and other industry standards. Our strategy is integrated into our overall risk management program, reflecting our commitment to safeguarding data.

 

a.

Collaborative Approach: We utilize a cross-functional strategy, involving key security, risk, and compliance stakeholders, to preserve data confidentiality and manage cybersecurity threats.

 

b.

Technical Safeguards: Regular assessments and updates of technical safeguards are based on ongoing vulnerability analyses and threat intelligence.

 

c.

Incident Response and Recovery: We have established comprehensive incident response and recovery plans, ensuring readiness and effective response to cybersecurity incidents.

 

d.

Third-Party Risk Management: Rigorous controls are in place to mitigate risks associated with third-party service providers, including security risk assessments and contractual security requirements.

 

e.

Education and Awareness: Regular privacy and security training for employees is conducted to enhance awareness and response to cybersecurity threats.

 

f.

External Assessments and Attestations, and Certifications: Annual vulnerability and penetration tests and data privacy and protection reviews are performed by third-party experts. No significant findings were identified. OPKO maintains industry certifications such as SOC 2 Type 2 and PCI DSS attestations.

 

2.

No Material Breaches or Incidents: There have been no material breaches or cybersecurity issues affecting the company. Consequently, no risks from cybersecurity threats or previous cybersecurity incidents have materially affected, nor are they reasonably likely to materially affect, the company's business strategy, results of operations, or financial condition. As of the date of this filing, the company maintains that its cybersecurity measures have been effective in mitigating potential risks associated with cybersecurity threats.

 

Governance

 

 

1.

Board Oversight: The Audit Committee of the Board has direct oversight, regularly reviews reports on cybersecurity risks and vulnerabilities. The Audit Committee is informed about risk assessments, progress of risk reduction initiatives, and feedback from external auditors. Our chief compliance & audit officer (“CCO/CAO”) and his direct report, chief information security officer (“CISO”), have primary responsibility for assessing and managing material cybersecurity risks. The CCO/CAO reports to the Audit Committee, which is the primary governing body that drives alignment on security decisions across the Company. The Audit Committee meets at least four times a year on cybersecurity and such meetings are attended by the CCO/CAO, CISO, chief legal officer (“CLO”), chief financial officer (“CFO”), corporate controller, associate general counsel, and other senior company executives as needed to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Audit Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation.

 

2.

Expertise and Leadership: Our Chief Compliance & Audit Officer (CCO/CAO) possesses over 27 years of experience in Cyber Security and IT Controls across various complex organizations, including initial tenure at Boston University Medical Center, followed by roles at PricewaterhouseCoopers, Biogen, Vertex Pharmaceuticals, and currently OPKO Health for the past 6 years. The CCO/CAO has a master’s degree in Computer Science with a specialization in Cyber Security from Boston University, a qualifying UK law degree from the University of Edinburgh, an MBA in Accounting, and a Master's of Finance from Northeastern University, in addition to a BA in Economics from Dartmouth College.

 

The Chief Information Security Officer (CISO) brings over 27 years of experience in Cyber Security and IT Controls, with the last 15 years serving as CISO at OPKO Health and previously at Everest Insurance Corp. Prior experience includes several years at PricewaterhouseCoopers as an IT auditor and Cyber Security consultant. The CISO holds comprehensive Cyber Security accreditations and certifications, including CISSP, CISA, CRISC, CHP, CDRE, and MBCI, and has completed undergraduate degrees in Accounting and Computer Information Systems from Baruch College. The CISO oversees a department comprising five cyber security engineers with extensive experience.

 

Structured Data Requirement

 

Consistent with SEC regulations, OPKO Health, Inc. commits to providing the information required by this Item in an Interactive Data File format, in accordance with Rule 405 of Regulation S–T and the EDGAR Filer Manual.

 

OPKO Health, Inc.'s strategic approach to cybersecurity governance, characterized by our rigorous third-party assessments, industry certifications, and a clear organizational reporting structure, underscores our unwavering dedication to safeguarding sensitive information and maintaining trust.

 

52