Jazz Pharmaceuticals plc - (JAZZ)

10-K Filing Date: February 28, 2024
Item 1C.Cybersecurity
Risk management and strategy
We have implemented and maintain an information security program designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data including intellectual property, clinical trial participant and patient-related data, and confidential information that is proprietary, strategic or competitive in nature, or collectively, Information Systems and Data.
Our cybersecurity threat risk management processes include the following, among others:
Our information security department identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and risk profile using various methods including, for example, manual methods and automated tools, conducting scans of the threat environment, conducting threat assessments, performing vulnerability assessments, use of external intelligence feeds, and through third-party-conducted red/blue team testing and tabletop incident response exercises.
Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: information security policies and standards governing access control, network and device security, encryption standards, incident response plans, disaster recovery plans, risk management, vulnerability detection and management and security awareness training requirements as well as security tools such as firewalls, malware protection tools, secure authentication tools, centralized logging and monitoring tools, threat intelligence tools, and data protection tools.
Our overall risk assessment and management processes address cybersecurity threats that may have a material impact on our business. Our information security department maintains a risk register of individual risks from cybersecurity threats. Our Chief Information Security Officer, or CISO, and Chief Information Officer, or CIO, periodically review the area of cybersecurity risk management within our overall enterprise risk management program and work with our executive director of internal audit and enterprise risk management to incorporate the aggregate risks from the cybersecurity threat risk register into the overall enterprise risk management program risk register. In addition, our CISO and CIO report significant increases to our threat profile to the Information Security Governance Committee (described below).
We use third parties, including professional services, incident response and managed security firms (including some that we have on a pre-paid retainer basis), to assist us from time to time to identify, assess, and manage cybersecurity risks, perform threat assessments relating to our Information Systems and Data by reviewing our business and industry vertical threat profiles and applying those to the overall threat landscape, perform penetration tests, conduct cybersecurity readiness exercises, assess program maturity, and to assist in the event of a cyber security incident.
We have third-party vendor management processes designed to help us identify, assess and manage risks from cybersecurity threats to our Information Systems and Data that may arise out of our use of third-party vendors across
65


our business, including, among others, application providers, hosting companies, contract research organizations, contract manufacturing organizations, distributors, and supply chain resources. Depending on the nature of the services and the service provider, our vendor management processes may include assessment of the cybersecurity practices of such vendors and contractually imposing obligations on the provider.
For a description of the risks from cybersecurity threats that may materially affect us and how those risks may affect us see “Significant disruptions of information technology systems or data security breaches could adversely affect our business” under Part I, Item 1A. Risk Factors in this Annual Report on Form 10-K.
Governance
Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The audit committee of the board of directors, or Audit Committee, helps oversee our cybersecurity risk management processes, including oversight of risks from cybersecurity threats.
The Information Governance Security Committee and the Audit Committee receive various reports from CISO and CIO. The CISO (or its designee) reports to the Audit Committee on cybersecurity risk on at least a quarterly basis. Written reports and presentation materials regarding cybersecurity risk provided to the Audit Committee are made available to the board of directors and they can discuss the materials and cybersecurity risk with the Audit Committee members. The Internal Audit team oversees internal controls implemented by us under our information security program.
Our information security program is implemented and maintained by certain of our management, including the CISO, CIO and other members of our Information Security Governance Committee (Chief Legal Officer, Chief Financial Officer, and Chief Privacy Officer). Our CISO has been at the company for over 7 years, and has served in various cybersecurity roles for over 20 years across multiple companies and industry verticals including banking, consulting, ecommerce, and pharmaceuticals. He is a Certified Information Systems Security Professional and has experience responding to major information security incidents at previous companies prior to joining the company. Our CIO has been at the company and had oversight of our cybersecurity for over 7 years. In addition, our CIO has served in various information technology roles in the U.S. and overseas for over 25 years across multiple companies and industry verticals including consulting, healthcare, and pharmaceuticals.
The Information Security Governance Committee helps assess and manage our cybersecurity risks and monitor the effectiveness of our information security program and risk management. Management, including those serving on our Information Security Governance Committee, is responsible for hiring appropriate cybersecurity personnel, helping to integrate cybersecurity considerations into our overall risk management strategy, providing appropriate resources for cybersecurity risk management, and communicating key priorities to relevant personnel. Our cybersecurity incident response plan includes processes designed to escalate certain cybersecurity incidents that caused a significant impact to us to members of the Information Security Governance Committee, and certain members of executive management depending on the circumstances. In addition, our incident response plan includes reporting to the Audit Committee for certain cybersecurity incidents, including those that have potentially had a material impact to us.


66