Pacira BioSciences, Inc. - (PCRX)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
We are subject to cybersecurity threats that could have a material adverse impact on our results of operations, financial condition and cash flows, as well as our operations—including our manufacturing and marketing capabilities. We operate a risk-based cybersecurity program which is designed to: (i) ensure the security, confidentiality, integrity and availability of our information and systems; (ii) protect against anticipated or actual cyber threats to our information and systems; and (iii) protect against unauthorized access and/or use of our information and systems. Overall cybersecurity risk reporting is integrated with our enterprise risk management program, is included in discussions with the Audit Committee of our board of directors and disclosed where appropriate. Our information technology and cybersecurity function is headed by our Chief Administrative Officer, or CAO, and Vice President of Information Technology, who are responsible for managerial oversight of our cybersecurity program. Our CAO reports directly to our Chief Executive Officer and our Vice President of Information Technology reports directly to our CAO.
We utilize a layered approach in assessing, identifying, evaluating and managing material risks from cybersecurity threats, and leverage outside partners to gain intelligence on threats. We take input from industry activities, third party assessments and internal simulations and continuously adjust our protection mechanisms to be effective. We also assess operational and data security risks associated with our use of third-party service providers, understanding where failure points may exist within our supply chain operations and data protections. If we learn of a cybersecurity incident at a third-party service provider, our information technology department will maintain communication with that third-party service provider and communicate any cybersecurity incidents to the Vice President of Information Technology and CAO. All Pacira employees receive information security training (including data protection and fraud awareness) on an annual basis, and we use state-of-the-art technology to monitor systems for anomalous behavior. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. In the event an incident were to occur, a Security Incident Response Team would be convened that consists of members from many functions, including legal counsel, the Vice President of Information Technology and the CAO.
Pacira BioSciences, Inc. | 2023 Form 10-K | Page 70

s
Our board of directors has the ultimate oversight of the Company’s risks—including cybersecurity risks—with our Audit Committee assisting the board in their oversight of cyber and information security risks. Members of management that possess information security certifications and many years of experience work with our legal, finance and corporate governance functions to identify, define and report cybersecurity risks, policies and procedures and incident response plans. The Audit Committee receives updates on our cybersecurity program from management on a quarterly basis and more frequently as determined to be necessary or advisable. Updates to the Audit Committee include policies, processes, procedures and any significant developments related to the identification, mitigation and remediation of cybersecurity risks, as well as effectiveness and changes in our ability to monitor, protect, detect and respond to incidents, risk reviews and industry news briefings. The Audit Committee also ensures that management provides a cyber and information security update to the board at least annually. Finally, in the event a material cybersecurity incident were to occur, the CAO and Vice President of Information Technology would brief the Audit Committee which would then be responsible for assessing the materiality of the incident and making the determination of materiality and any related disclosure.
We face a number of cybersecurity risks in connection with our business. Although we have numerous controls to protect against common attacks, some attacks may still be effective. Our controls are designed to detect, triage and eradicate these attacks. While we carry a cyber insurance policy to help cover investigation and mitigation expenses, it may be subject to limitations and be insufficient to cover all expenses that may result from a cybersecurity incident. Although the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, such incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication.
For more information about the cybersecurity risks and other information technology and data privacy risks we face, see Item 1A. Risk Factors and the subsection titled Risks Related to Information Technology, Cybersecurity and Data Privacy.