Viatris Inc - (VTRS)
10-K Filing Date: February 28, 2024
ITEM 1C.Cybersecurity
Viatris operates in a complex and rapidly changing environment that involves many potential risks, including IT and cybersecurity risks. Risk management is an enterprise-wide objective and is subject to oversight by the Viatris Board and its committees. It is the responsibility of Viatris’ management and employees to identify material risks to our business and to implement and administer risk management and mitigation processes and programs, while also maintaining reasonable flexibility in how we operate. Our internal audit function coordinates cross functionally to periodically complete the Company’s enterprise risk assessment, including the identification of key and emerging risks, and reviews and refreshes this analysis quarterly with executive management. For each key or emerging risk identified, the Company establishes risk monitoring ownership, evaluating risk mitigation opportunities and collecting quarterly updates for executive management and the Viatris Board’s Compliance and Risk Oversight Committee.
With respect to IT and cybersecurity risks, Viatris maintains an information security program that is aligned with the National Institute of Standards and Technology Cybersecurity Framework standards, and which is designed to identify, protect, detect, respond to and recover from cybersecurity threats. Viatris’ information security program includes policies, procedures, cybersecurity awareness communications, testing, and training for employees (including mandatory training programs for system users), system monitoring, risk reduction, vulnerability and patch management and monitoring of external developments. The information security team is responsible for defining and overseeing the execution of the Company’s information security program and strategy. The Viatris IT team, led by the Chief Information Officer, is responsible for ongoing security operations such as maintaining firewalls and patch management. In addition, the delivery of many information security programs relies on IT resources to execute the delivery and implementation of security solutions, such as end-point protection and end-of-life protocols.
The Company’s Chief Information Security Officer & Head of Global Security, under the direction of the Company’s Chief Compliance Officer, reports quarterly to the Risk Management Team, which includes the CEO, President, CFO, General Counsel, Chief Human Relations Officer, Head of Corporate Affairs, Regional Presidents, Chief Information Officer and Chief Compliance Officer, and the Viatris Board on the progress of the information security program and overall security status. Viatris’ current Chief Information Security Officer & Head of Global Security has over 20 years of experience in information security within the pharmaceutical industry.
As part of this program, Viatris has adopted a Cybersecurity Incident Response Plan (referred to as CIRP) to establish a guide for Viatris’ leadership and incident response stakeholders through an “incident” (a single event or a set of anomalous and adverse “events” (for purposes of the CIRP, a change in a system or technology device that could impact the confidentiality, integrity, and availability of Viatris’ data and technology assets) caused by malicious intent or by accident impacting Viatris’ network, computing systems, or digital information). The CIRP is managed by the information security team and is reviewed at least annually. Viatris tests the CIRP through technical exercises at least semi-annually, reviews the CIRP with executive management annually, and periodically conducts executive tabletop exercises/scenarios. The CIRP provides an overview of critical actions to take through the incident response lifecycle and contains a severity matrix used to guide the Company’s incident response stakeholders on communication and escalation protocols. The severity of the incident guides the determination of the parties to whom the incident will be escalated, and the Company may decide to seek assistance from a third-party incident response vendor.
Viatris’ Cybersecurity Incident Response Team (referred to as CIRT) reports to the Chief Information Security Officer & Head of Global Security and has the role of investigating and executing incident protocols. The CIRT is generally responsible for determining the potential impacts to the Company, including severity, notifying appropriate parties pursuant to the CIRP and determining whether to engage a third-party incident response vendor, among other responsibilities. Critical and high severity incidents require the engagement of the senior leadership once such an incident is confirmed. The Company’s Disclosure Controls and Procedures also require (i) the Company’s Information Security function to monitor and escalate, as appropriate, cybersecurity incidents or series of related incidents (including with respect to any third party provider to the Company of IT services) and (ii) the Disclosure Committee to determine, without unreasonable delay, the materiality of any such escalated cybersecurity incidents or series of related incidents with input from Global Compliance, Information Security, Legal, Finance and other groups, as appropriate.
The Company participates in several industry and third-party threat monitoring and information-sharing services, and these engagements provide insight into vulnerabilities and threats which are incorporated into the security operations scanning
50
as well as shared with the IT team for remediation. Key aspects of the information security program are also provided by third-party managed security providers, including but not limited to first- and second-line support for incident response and the Company’s vulnerability assessment process. Our suppliers, subcontractors and third-party service providers, including third-party managed security providers, are subject to cybersecurity obligations and controls. We conduct initial risk assessments of third-party suppliers and service providers based on various factors and then review and monitor these third-party suppliers and service providers based on their relative assessed level of risk. We also require our suppliers, subcontractors and third-party service providers to agree to cybersecurity-related contractual terms and conditions of purchase.
The Compliance and Risk Oversight Committee of the Viatris Board is responsible for reviewing management’s exercise of its responsibility to identify, assess, and manage material risks not allocated to the Viatris Board or another Committee of the Viatris Board, including data security programs and cybersecurity and IT. In the event of a severe cybersecurity incident, such as a ransomware attack or other incident that has a severe adverse effect on Viatris’ operations, critical systems or sensitive data, or which may cause severe reputational damage, executive management may determine that is necessary to notify the Viatris Board or the Compliance and Risk Oversight Committee about such a cybersecurity incident immediately. Otherwise, the Compliance and Risk Oversight Committee receives reports from executive management on data security, cybersecurity and information security-related matters on at least a quarterly basis, including with respect to related risks, risk management, risk reduction programs, and relevant legislative, regulatory, and technical developments. On a biannual basis, the Compliance and Risk Oversight Committee and chairs of each other Committee of the Viatris Board receive an information security update from the Company’s Chief Information Security Officer & Head of Global Security, the Chief Compliance Officer and the Chief Information Officer. The full Viatris Board receives a report on the respective quarterly discussions from the Chair of the Compliance and Risk Oversight Committee each quarter.
We and our suppliers, partners, customers and vendors have in the past and will likely continue to experience cybersecurity threats and incidents, including attacks on and compromises of our systems. Although we do not believe such cybersecurity threats or incidents have had a significant impact on us to date, there is no guarantee that a future cybersecurity threat or incident will be detected and remediated to not have a material adverse impact on our business, reputation, financial conditions, cash flows or results of operations. For additional information regarding how cybersecurity threats are reasonably likely to materially affect our business, financial condition, results of operations, cash flows, ability to pay dividends and/or stock price, see Part I, Item 1A “Risk Factors – “We are increasingly dependent on IT and our systems and infrastructure face certain risks, including cybersecurity and data leakage risks.” of this Form 10-K.