LABORATORY CORP OF AMERICA HOLDINGS - (LH)
10-K Filing Date: February 26, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
Protecting the information maintained by the Company about its patients, customers, colleagues, and partners against external and internal threats is a priority for the Company. Accordingly, the Company invests in the development and implementation of cybersecurity policies, control standards, and control procedures, including a risk management and assessment program, security and event monitoring capabilities, an incident response plan, and other detection, prevention, and protection capabilities, including practices and tools to monitor and mitigate external and insider threats. The Company engages in a risk monitoring process through its Office of Information Security (OIS) within the Information Technology organization that seeks to identify the likelihood and impact of threats to its systems and data, and assesses the effectiveness of the controls in place.
Consistent with business requirements, components of the Company’s information technology and controls are assessed by independent third parties against various frameworks and standards. With the assistance of these frameworks and standards, the Company assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities, and assesses those systems pursuant to the Company’s cybersecurity policies, control standards, and control procedures. Mitigation of identified threats and vulnerabilities may be delayed.
The Company has implemented an Incident Response Plan (IR Plan), which is aligned to its overall crisis management program. The IR Plan provides a framework for responding to and managing cybersecurity incidents. The IR Plan identifies applicable requirements for incident response, outlines processes for any applicable reporting, as well as provides protocols for incident evaluation, processes for notification and internal escalation of information to the Company’s senior management, and the Board and/or appropriate Board committees, as applicable. The IR Plan is reviewed, tested, and updated under the leadership of the Company’s Chief Information and Technology Officer (CITO) and Chief Information Risk Officer (CIRO).
The Company’s cybersecurity team also provides enterprise-wide cybersecurity training for employees to maintain and continuously improve the Company’s mitigation against human-driven risk.
Engagement with External Cybersecurity Professionals
The Company engages with third parties to assess the effectiveness of, and assist with, its cybersecurity risk and response systems and processes. These third parties include cybersecurity assessors, consultants, and other cybersecurity professionals who assist in the identification, verification, and validation of cybersecurity risks, as well as support associated mitigation or incident response plans when necessary.
Oversight of Third-Party Service Providers
The Company’s processes also are designed to evaluate the cybersecurity threat risks associated with its use of third-party service providers that have applicable levels of access to the Company’s data or information technology systems. The Company performs due diligence on third parties that have access to its systems, data, or facilities that house such systems or data, and it monitors cybersecurity threat risks identified through such due diligence.
Cybersecurity Incident Impact
The Company describes whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect it, including its business and operating results, financial condition, and impact on the Company’s reputation and customer relationships, under the Summary of Material Risks section of this Annual Report, and under the “Risks Related to Technology and Cybersecurity” heading and subheadings thereunder in Part I, Item 1A. “Risk Factors” of this Annual Report, which disclosures are incorporated by reference herein.
In July 2018, the Company experienced a ransomware incident which affected certain Dx information technology systems. The incident also temporarily affected certain other information technology systems involved in conducting Company-wide operations. An investigation determined that the ransomware did not and could not transfer patient or client data outside of Company systems and that there was no theft or misuse of patient or client data. This incident did not have a material effect on the Company.
On May 14, 2019, Retrieval-Masters Credit Bureau, Inc. d/b/a/ American Medical Collections Agency (AMCA), an external collection agency, notified the Company about a security incident AMCA experienced that may have involved certain personal information about some of the Company's patients (the AMCA Incident). The Company is involved in pending and threatened litigation related to the AMCA Incident, as well as various government and regulatory inquiries and processes. For additional information about the AMCA Incident, see Note 15 Commitments and Contingencies to the Consolidated Financial Statements “Cybersecurity" and “Risk Factors - Risks Related to Technology and Cybersecurity”.
49
Governance
The Company’s board of directors has oversight responsibility for the Company’s enterprise risk management process and it delegates oversight responsibility for certain significant functional areas of risk management to the board’s committees. The Audit Committee of the board of directors is responsible for oversight and review of the Company’s cybersecurity and other information technology risks, controls, and procedures, including the potential impact of such risks on the Company’s business, financial results, operations, and reputation, as well as the Company’s plans to mitigate cybersecurity risks and to respond to cybersecurity incidents.
The CIRO and CITO routinely present cybersecurity reports to the Audit Committee at its regularly scheduled meetings. These reports may address cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program, prior incidents, and the emerging cyber threat landscape. In addition, the full Board receives briefings from the CIRO and CITO on at least an annual basis.
Management is responsible for day-to-day assessment and oversight of cybersecurity risks. At the senior management level, the CITO is responsible for overseeing the Company’s information technology systems, technology capabilities, and cybersecurity practices. The CITO has more than 30 years of experience working in information technology-related roles and is a member of the Company’s executive leadership team and reports to the Chief Executive Officer. Prior to joining the Company, the CITO held various chief information officer roles with global companies.
The CIRO, under the direction of the CITO, is responsible for overseeing the OIS. In this role, the CIRO oversees the cyber risk management function, which identifies cybersecurity threats, assesses cybersecurity risks, and supports the CITO and the Company in managing such risks. The CIRO has over 30 years of experience in information security, and prior to joining the Company held various chief information security officer roles, including seven years at a global healthcare company. The CIRO has also served on the board of directors of Health-ISAC, an organization of critical infrastructure owners and operators within the health and public health sectors.
The CITO and CIRO together lead efforts to design, implement and operate controls deemed appropriate for the management of Company information assets and systems. OIS manages the policies, control procedures, and control standards designed to identify, detect, protect against, respond to, and recover from cybersecurity threats and cybersecurity incidents. This group includes a cybersecurity operations team that is responsible for the information technology security monitoring and incident response activities, the latter covering the response coordination to cybersecurity incidents under the leadership and pursuant to the direction of the CIRO. OIS also oversees the Company’s cybersecurity training program for employees.
50