OMNICELL, INC. - (OMCL)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
In general, the Company addresses cybersecurity risks through a comprehensive approach that is focused on preserving the security of its information and by identifying, preventing and mitigating cybersecurity threats, as well as effectively responding to cybersecurity incidents when they occur. The Company believes that this comprehensive approach helps to ensure that the highest levels of oversight is provided to its cybersecurity risk management activities and fosters collaborative consultation between management and the Board.
Board Oversight
As part of its risk oversight function, the Audit Committee of the Company’s Board of Directors is primarily responsible for overseeing and reviewing the Company’s information security and technology risks, including cybersecurity. In this role, the Audit Committee monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through the regular receipt of reports from management on the effectiveness of its cybersecurity programs. These reports include semi-annual cybersecurity updates from the Company’s Chief Information Officer and quarterly reports from the Company’s risk management personnel on the progress of the Company’s broader Enterprise Risk Management (“ERM”) risk mitigation activities. As part of the ERM process, the Audit Committee provides input on key risks for the Company to consider. In addition, the Board also provides quarterly input on its views regarding potential emerging risk areas for the Company. The Audit Committee then reports to the full Board on a quarterly basis regarding its oversight activities and the risk management activities of the Company. In addition, the full Board receives periodic presentations from management on emerging information security and cybersecurity risks, as well as incident reports as significant matters may arise.
Enterprise Risk Management
Omnicell utilizes a structured, biannual ERM process to identify, assess, and address material risks facing the Company, including cybersecurity risks, during which business leaders across the Company are surveyed about current and emerging risk areas. After the ERM survey is completed and risk areas are identified, the results are discussed with the relevant management personnel across the organization in the key risk areas, root causes are analyzed and risk mitigation plans are developed. The Chief Information Officer works closely with Omnicell’s management team in all facets of its ERM risk mitigation activities related to cybersecurity and information security risks.
Ongoing Mitigation Efforts
The Company has implemented a number of security measures designed to protect its systems and data, including firewalls, antivirus and malware detection tools, patches, log monitors, routine back-ups, system audits, system hardening, penetration testing and privileged access session management. In addition, the Company has continued its efforts to migrate its platforms to cloud-based computing, which is designed to further strengthen its security posture. The Company has focused on its incident response procedures and retained a leading incident response provider. The Company has also recently strengthened its disaster recovery procedures. The Company’s solutions incorporate cybersecurity features that are routinely analyzed. In addition, the Company maintains insurance that includes coverage for cyber-attacks, which coverage is discussed and reviewed with the Audit Committee annually.
The Company has what it believes are appropriate physical, technical, and administrative controls in place that are designed to protect customers’ data. However, as previously disclosed, on May 4, 2022, the Company determined that certain of its information technology systems were affected by ransomware impacting certain internal systems. Upon detecting the security event, the Company took immediate steps designed to contain the incident and implement its business continuity plans to restore and support continued operations. Subsequently, the Company contained the incident and restored substantially all of its critical information technology systems.
Following this cybersecurity event, the Company immediately implemented several key learnings from the incident, including using a three-pronged approach focused on further reducing exposure, raising greater security awareness, and further strengthening the Company’s cybersecurity defenses. This approach resulted in the Company further hardening its identity computing environments as part of its progress to a zero trust environment, heightened cybersecurity awareness efforts through increased comprehensive information security awareness training for employees on a quarterly basis, and the strengthening of the Company’s cybersecurity defenses through implementation of multifactor authentication for Privileged Access Management and Endpoint Detection and Response solutions across the Company’s computing environment.
Incident Response
In the event of a cybersecurity incident, dependent upon the nature of the incident, the Company has a Security Incident Response Team (“SIRT”) that is comprised of employees who have responsibility and authority to act during a cyber incident without delay, including, dependent upon the nature of the incident, the Company’s Chief Legal Officer, Chief
43

Information Security Officer and Chief Information Officer. The SIRT includes individuals responsible for assessing, containing, and responding to incidents, as well as those responsible for assessing the business and legal impacts, reporting incidents as appropriate, communicating to internal and external stakeholders, and engaging with industry and government response partners to coordinate information and resource sharing when needed. During a cybersecurity incident, as warranted, the SIRT keeps the Company’s senior leadership and Board apprised of the response to the incident, any operational or business impacts, and any internal or external communications regarding the incident. The SIRT will also seek the input of the Company’s senior leadership and Board, as needed, when addressing a cybersecurity incident. Upon resolution of a cybersecurity incident, generally, the Audit Committee will review the incident, the impact and the mitigation efforts and remediation actions the Company will implement. The Audit Committee then monitors the completion of the remediation actions and mitigation efforts.
Cybersecurity Leaders in Management
The Company’s IT strategy and implementation is overseen by a dedicated Chief Information Officer with over 20 years of experience in the field, including previously serving a 17-year tenure, most recently as Vice President of Global IT, with a global technology leader of fiber optic subsystems and components. He holds a Bachelor of Science in Computer Science and Engineering from Andhra University in India and an MBA from the Indian School of Business. In addition, the Company has recently engaged a Chief Information Security Officer (“CISO”). The Company’s CISO has built and managed world-class information security programs and technology teams for industry leading global companies. She has deep experience securing healthcare-focused companies in both the provider and supplier space. She holds a Bachelor of Science from the University of Redlands and an MBA from Notre Dame De Namur University along with holding certified information systems security professional (“CISSP”) and certified information security manager (“CISM”) certifications.
Third Parties
The Company utilizes third-party service providers, such as cloud services, in connection with its operations, and its information security department implements a third-party risk assessment and review process in connection with those services to evaluate security posture and risk. The Company also engages third parties to assist in its cybersecurity management efforts, such as the leading incident response provider mentioned above and another provider to perform continuous monitoring and regular penetration testing of its information security systems and environment. The Company and its personnel also actively engage with a number of other key vendors, industry participants and intelligence and law enforcement communities as part of its information security and cybersecurity efforts.
Impact of Recent Cyber Incident
While the previously disclosed ransomware incident led to (i) temporarily delayed invoicing that impacted the timing of cash collections and free cash flow in 2022 and (ii) customer implementation delays in 2022, as the Company recovered from the impacts of the ransomware incident, substantially all delayed implementations due to the ransomware incident were completed as of the end 2022. Furthermore, any delayed or impacted processes have returned to normal operations. To date, the Company does not believe the ransomware incident, or other identified cyber risks, have had, or will have, a material adverse effect on its business, operating results, cash flow, or financial condition.
44