Organon & Co. - (OGN)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy. We depend on sophisticated software applications, complex information technology systems, computing infrastructure and cloud service providers (collectively, "Information Systems") to conduct critical operations. Certain of these systems are managed, hosted, provided or used by third parties, including Merck pursuant to a transition services agreement, to assist in conducting our business.

We implement processes for the assessment, identification, and management of material risks from cybersecurity threats; however, disruption, degradation, destruction or manipulation of our Information Systems through intentional or accidental means by our employees, third parties with authorized access or cyber threat actors could adversely affect key business processes. The size and complexity of our Information Systems, and those of our third-party providers with whom we contract, make such systems potentially vulnerable to service interruptions. In addition, we and our third-party providers have experienced and expect to continue to experience phishing attempts, scanning attempts of our network, and other attempts of unauthorized access to our computers, digital systems, networks, or devices. Such attacks are increasingly sophisticated and are made by groups and individuals with a wide range of motives and expertise, including state and quasi-state actors, criminal groups, "hackers" and others. These attacks could lead to loss of confidentiality, integrity and/or availability of our data and Information Systems.

In the ordinary course of business, we and our third-party providers collect, store and transmit large amounts of confidential information (including trade secrets or other intellectual property, proprietary business information and personal information), and we must do so in a secure manner to maintain the confidentiality and integrity of such confidential information. While we have processes to protect such information, and to ensure that the third-party providers on which we rely have taken adequate steps to protect such information, a breach of our Information Systems or those of our third-party providers, such as cloud-based systems, or the accidental loss, inadvertent disclosure, unapproved dissemination, misappropriation or misuse of trade secrets, proprietary information, or other confidential information, whether as a result of theft, hacking, fraud, trickery, other forms of deception, or any other cause, could enable others to produce competing products, use our proprietary technology or information, and/or adversely affect our business position. Further, any such interruption, security breach, or loss, misappropriation, and/or unauthorized access, use or disclosure of confidential information, including personal information regarding our patients and employees, or the modification of critical data, could result in financial, legal, business, and reputational harm to us, including loss of revenue, loss of critical or sensitive information from our or our third-party providers' databases or Information Systems, and substantial remediation and recovery costs. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to our data and systems, including malware and computer virus attacks.

We use multi-layered information security and data privacy programs and practices designed to foster the safe, secure, and responsible use of the information and data our stakeholders entrust to us. We work with our customers, governments, policymakers, and others to help develop and implement standards for safe and secure transactions, as well as privacy-centric data practices. Independent third parties test our cyber capabilities and audit our cloud security. We regularly test our systems to discover and address any potential vulnerabilities.

Cybersecurity Governance. Our Audit Committee has primary responsibility for overseeing our risk-management program relating to cybersecurity, although the Board participates in periodic reviews and discussion dedicated to cyber risks, threats, and protections. Our information security and privacy programs provide that the Board receives annual reports from our Chief Information Security Officer and Chief Ethics and Compliance Officer to discuss our program for managing information security risks, including data security risks, the risk of cybersecurity incidents and, if applicable, remediation of any potential cybersecurity incidents. The Audit Committee receives regular briefings on both information security and data privacy from the Chief Information Security Officer and Chief Ethics and Compliance Officer, respectively, and meets at least annually with our Chief Information Security Officer regarding our information technology. The Audit Committee receives periodic updates regarding our cybersecurity risk management program, and reports to the Board on the principal risks facing us and the steps
-34-

being taken to manage and mitigate these risks. Both the Board and the Audit Committee receive periodic reports on our cyber readiness, security controls and our cybersecurity investments. In addition, our directors are apprised of incident simulations and response plans, including for cyber and data breaches.