Merck & Co., Inc. - (MRK)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
The Company’s cybersecurity measures are primarily focused on ensuring the security and protection of its information technology systems and data. The Company’s information security program is managed by a dedicated Chief Information Security Officer (CISO), whose group is responsible for leading enterprise-wide cybersecurity risk management, strategy, policy, standards, architecture, and processes. The CISO has worked in the cybersecurity and national security fields for more than 30 years. He has a Master of Science in Telecommunications and Computers. He has served as a board member of the Health Information Sharing and Analysis Center for 10 years. Oversight of the information security program has been integrated into the Company’s overall enterprise risk management program.
The CISO provides periodic reports to the Audit Committee (Audit Committee) of the Board of Directors (Board), the full Board, as well as to the Company’s Chief Executive Officer and other members of senior management, as appropriate. These reports include updates on the Company’s cybersecurity risks and threats, the status of projects intended to strengthen its information security systems, assessments of the information security program (including remediation, mitigation, and management of identified vulnerabilities), and the emerging threat landscape. The information security program is regularly evaluated by internal and external consultants and auditors
39
with the results of those reviews reported to senior management and the Audit Committee, which is comprised entirely of independent directors and has oversight responsibility for these risks.
The Company’s information security group monitors the Company’s information systems to prevent, detect, mitigate, and remediate cybersecurity incidents. The Company uses tools and techniques to continually assess and monitor, manage and mitigate cybersecurity threats to its IT systems in a manner consistent with industry practice. The Company engages with key vendors, industry participants, and intelligence and law enforcement communities as part of its continuing efforts to obtain current threat intelligence, collaborate on security enhancements, and evaluate and improve the effectiveness of its information security program. As part of this program, the Company conducts periodic tabletop exercises to assess its cybersecurity incident response processes. The Company also maintains vendor management diligence and oversight processes to identify and monitor potential risks from cybersecurity threats attendant to its use of third-party service providers. Additionally, the Company monitors cybersecurity threat intelligence received from key third-party service providers associated with the Company.
In the event of a cybersecurity incident, the Company has a process in place whereby members of the security group will alert the CISO and the CISO will alert the appropriate levels of management, including an incident assessment team, as well as the legal and finance departments so that the materiality of any such event can be assessed in furtherance of fulfilling any reporting requirements. If warranted, senior management will notify the Audit Committee or the full Board, as appropriate.
The Company has been and continues to be the target of cyber-attacks and network disruptions. To date, the risks posed by such cybersecurity threats have not materially affected the Company and its business strategy, results of operations and financial condition, and as of the date of this report, the Company is not aware of any material risks from cybersecurity threats that are reasonably likely to do so, but there can be no assurance that the Company will not be materially affected by such risks in the future. For further information, see Item 1A. “Risk Factors — The Company is increasingly dependent on sophisticated software applications and computing infrastructure. The Company continues to be a target of cyber-attacks that could lead to a disruption of its worldwide operations, including manufacturing, research and sales operations.”