HENRY SCHEIN INC - (HSIC)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We rely on information systems in our business to obtain, rapidly process, analyze, manage and store customer,
product, supplier and employee data to, among other things: maintain and manage multiple information systems
worldwide to facilitate the purchase and distribution of thousands of inventory items from numerous distribution
centers; receive, process and ship orders on a timely basis; manage the accurate billing and collections for
thousands of customers; process payments to suppliers and vendors; provide products and services that maintain
certain of our customers’ electronic medical or dental records (including protected health information of their
patients) and maintain and manage global human resources, compensation and payroll systems. For these purposes,
we define “information systems” in a manner consistent with the definition contained in the new rules recently
adopted by the SEC to mean “electronic information resources, owned or used by the registrant, including physical
or virtual infrastructure controlled by such information resources, or components thereof, organized for the
collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant's information to
maintain or support the registrant's operations.”
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk mitigation strategy intended to protect our information
systems. Our cybersecurity risk mitigation strategy is designed so that the Company’s cybersecurity program is
aligned with generally accepted cybersecurity standards and frameworks, in particular the NIST Cybersecurity
Framework, or “NIST CSF,” and our Company is externally audited, or certified, with ISO27001 partial scope.
We maintain an Office of Cybersecurity (“OCS”), led by our Chief Information Security Officer (“CISO”), which
oversees the operations of our cyber risk mitigation strategy. The OCS is a cross-functional, enterprise-wide
management team, which continuously evaluates our global cybersecurity program’s effectiveness and is focused
on maintaining and protecting our information systems. In overseeing the operations of our cyber risk mitigation
40
strategy, the OCS partners with our Global Technology Solutions team, which is led by our Chief Technology
Officer (“CTO”) and is comprised of over one hundred professionals that support our information systems and
operations. Our cyber risk mitigation strategy includes monitoring for and addressing risks that materialize within
the Company’s information systems, as well as at our third-party vendors, suppliers and other third-party business
partners.
Our CISO reports to our CTO. Our CTO, who also serves as Senior Vice President, has more than 30 years of
experience leading large-scale global IT organizations and received a Bachelor of Business Administration in
Business Computer Information Systems and a Master of Business Administration from Hofstra University. See
also
President and Head of the Office of Cyber Security, is a National Security Agency Certified Information Systems
Securities Engineer, has nearly 30 years of experience leading global cybersecurity programs, and received a BS,
Electrical Engineering and Computer Science from Lafayette College, and a Master of Science, Business,
Information Technology Management from Johns Hopkins University. The cybersecurity risk mitigation strategy
is also overseen by senior managers who are members of our Executive Steering Committee, comprised of the
Company’s most senior technology, legal and internal auditing officers. Our CEO is regularly briefed on issues,
incidents, and developments, and our Board oversees our risk mitigation strategy principally through its Audit
Committee and Regulatory, Compliance and Cybersecurity Committee, as described in more detail below.
Our cybersecurity risk management program includes, among other elements:
●
risk assessments designed to help identify material cybersecurity risks to our information systems;
●
a security team principally responsible for managing our (i) cybersecurity risk assessment processes, and
(ii) defining cybersecurity control standards;
●
the use of expert external service providers to assess, test or otherwise assist with aspects of our
cybersecurity controls, and to respond to specific cybersecurity threats;
●
the review and assessment of past cybersecurity incidents with a view to learning from those events to
further strengthen our cyber risk mitigation strategy;
●
a written cybersecurity incident response plan that includes procedures for responding to cybersecurity
incidents; and
●
a Global Information Security Policy, together with more detailed information security policies,
procedures, standards, and guidelines.
In addition, all employees with systems access are required to participate in mandatory annual cybersecurity and
anti-phishing courses, along with compliance programs. Our employees who perform financial gatekeeper roles
also receive additional mandatory annual data security training specific to spoofing, phishing and similar data
security threats. Per written Company policies, employees are also required to safeguard confidential information.
Our cybersecurity risk strategy is integrated into our overall enterprise risk management program, and our
cybersecurity team is supported by and connected with the enterprise risk management team.
Prior Cybersecurity Incidents
In addition to immaterial and unrelated prior incidents at certain of our subsidiaries, in October 2023 Henry Schein
experienced a cybersecurity incident that primarily affected the operations of our North American and European
dental and medical distribution businesses. Henry Schein One, our practice management software, revenue cycle
management and patient relationship management solutions business, was not affected, and our manufacturing
businesses were mostly unaffected. Once we became aware of the issue, we took steps to assess, contain and
remediate this incident. We restored affected systems and applications, our distribution operations resumed and we
reactivated our ecommerce platform. We also notified law enforcement and our employees, customers, suppliers
and investors, informing them of both the incident and management’s efforts to mitigate its impact on our daily
operations and data maintained on the Company’s systems. Subsequently, on or about November 8, 2023, we
determined that the threat actor obtained personal and sensitive information maintained on our systems belonging to
certain third parties and since that date we have notified affected and potentially affected parties as appropriate.
41
The scope of personal and sensitive data impacted is still under investigation. On November 22, 2023, we
experienced a related disruption to our ecommerce platform and related applications, which has since been
remediated. As described in “Management’s Discussion & Analysis – 2023 Compared to 2022, the incident
adversely impacted our financial results for the fourth quarter and full year 2023. We also expect some short-term
residual impact on our financial results in 2024.
It is part of the mission of our cybersecurity risk mitigation strategy to constantly evolve our cybersecurity defenses
to adapt to evolving risks, and to learn from prior incidents, and we have evaluated and continue to evaluate the
incident with the assistance of third-party expert consultants. Members of the Audit Committee and Regulatory,
Compliance and Cybersecurity Committee of our Board of Directors are conducting a review of the October 2023
cybersecurity incident, including the measures undertaken in response to the incident.
Cybersecurity Governance
Our Board has a Regulatory, Compliance and Cybersecurity Committee that focuses on cybersecurity oversight,
together with other board committees, principally the Audit Committee. The purpose of the Regulatory,
Compliance and Cybersecurity Committee is to assist the Board by providing guidance to, and oversight of, the
Company’s senior management responsible for assessing and managing Company-wide regulatory, corporate
compliance and cybersecurity risk management programs. The primary responsibilities of the Regulatory,
Compliance and Cybersecurity Committee are to (i) discuss cybersecurity strategic decisions, issues, challenges and
opportunities relating thereto, (ii) provide expertise to guide assessment and monitoring of Company-wide
regulatory, corporate compliance and cybersecurity risk management budgeting, spending and capital investment,
(iii) monitor progress and status of the Company’s regulatory, corporate compliance and cybersecurity risk
management programs, (iv) review and evaluate major regulatory, corporate compliance and cybersecurity risk
management initiatives to identify emerging and future opportunities for synergy or to leverage regulatory,
corporate compliance and cybersecurity risk management investments more effectively and cost efficiently,
(v) report to the Audit Committee on regulatory, corporate compliance and cybersecurity risk management matters
reviewed by the Regulatory, Compliance and Cybersecurity Committee that may impact the Company’s financial
reporting and (vi) be generally available to, and communicate with, the Company’s senior management, and to
inform the Board in the areas described above.
Our CISO and CTO, along with other key executives who are part of our Executive Steering Committee, review
strategy, policy, program effectiveness, standards, enforcement and cybersecurity issue management with the
Board’s Regulatory, Compliance and Cybersecurity Committee on at least a quarterly basis and with the Audit
Committee on at least a bi-annual basis. Our CTO meets with Board members outside of the formal meetings on a
regular basis as well as in connection with specific cybersecurity issues or threats.