GILEAD SCIENCES, INC. - (GILD)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Processes Used to Assess, Identify, and Manage Material Risks from Cybersecurity Threats
Risk Assessment and Management
Our approach to managing material risks from cybersecurity threats, which is informed in part by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (though we do not imply that we meet any particular technical standards, specifications or requirements), is designed to detect, identify, respond to, recover from and protect from cybersecurity incidents.
Our security governance function, which includes key employees who work in Information Security, Legal, and Privacy teams such as our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), are responsible for establishing and implementing cybersecurity policies and procedures, which includes developing and updating our enterprise incident response plan (“IRP”), managing incident response, and overseeing any policy exceptions and potential compensating controls.
Additionally, we assess our cybersecurity maturity annually using the NIST framework and implement and maintain controls that are designed to evaluate and improve our cybersecurity program, such as vulnerability assessments and penetration tests, as needed. We also execute employee cybersecurity training and awareness programs around various key cybersecurity topics including reporting incidents, phishing, ransomware, remote working, cloud security, privileged access, and removable media.
Our process for assessing, identifying, and managing material risks from cybersecurity threats is integrated into our overall risk management process. We have a robust enterprise risk management (“ERM”) program that plays an important role in seeking to manage and address existing and emerging risks, including cybersecurity risks, which are critical to our overall business goals and objectives. The ERM team updates our CEO and his leadership team on cybersecurity risks as well as their potential impact, likelihood, potential mitigation plan, and status.
Incident Response
We have a dedicated Information Security team responsible for managing and coordinating incident response efforts. This team collaborates closely with other teams within the company, including teams within information technology (“IT”), Legal and Privacy, in identifying, analyzing, and responding to cybersecurity incidents, which includes tracking cybersecurity incidents to help identify any related incidents. When cybersecurity incidents are identified, our practice is to respond to and address them utilizing incident classifications and escalation protocols, in accordance with applicable governmental regulations and other legal requirements.
We have an IRP to prepare for and respond to cybersecurity incidents. The process is tested in annual tabletop exercises to help identify strengths and areas for improvement.
31



Engagement of Third Party Advisors
We engage third party advisors, including assessors, cybersecurity consultants, and auditors to assess, validate, and enhance our cybersecurity program. We benefit from engaging third parties to provide specialized skills, knowledge, tools, and resources. These third parties also help reduce costs, increase efficiency, improve quality, mitigate risks, and review cybersecurity strategy, trends, and threat landscape.
Third-Party Service Provider Risk Management
We have a process in place to oversee and identify risks from cybersecurity threats associated with our use of key third-party service providers during the course of engagement. The company uses an external risk management software program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Our vendor security assessment process evaluates key vendors and, where appropriate, assesses vendor’s controls for IT security, privacy, business continuity, and other third-party risks. Following an evaluation, the company determines and prioritizes risks based on their potential impact, which help inform the appropriate level of additional due diligence and ongoing compliance monitoring. The third-party risk assessment is a cross-functional effort involving our end-user, Legal, Privacy, and Information Security teams.
Material Risks from Cybersecurity Threats
The company has not identified any risks from cybersecurity threats that have materially affected us. We do not believe that risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, over the long term. Like many companies, we have experienced cybersecurity incidents, including data breaches and temporary service interruptions. However, as of the end of 2023, known cybersecurity incidents, individually or in aggregate, have not had a material impact. Nevertheless, there can be no assurance that our efforts in response to cybersecurity incidents, as well as our investments to protect our IT infrastructure and data, will shield us from significant losses, brand and reputational harm and potential liability or prevent any future interruption or breach of our systems. Such cybersecurity incidents can cause the loss of critical or sensitive information, including personal information, and could give rise to legal liability and regulatory action under data protection and privacy laws. For additional information on cybersecurity risks we face, see Part I, Item 1A. Risk Factors of this Annual Report on Form 10-K under the heading “Information system service interruptions or breaches, including significant cybersecurity incidents, could give rise to legal liability and regulatory action under data protection and privacy laws and adversely affect our business and operations.”
Cybersecurity Governance
Board Oversight of Risks from Cybersecurity Threats
Our Board of Directors plays an important role in overseeing cybersecurity risks. Our Board of Directors has established an oversight structure for monitoring the effectiveness of and risks related to the cybersecurity program. Designated by the Board to oversee cybersecurity and information technology risks, the Audit Committee receives quarterly cybersecurity updates from our CISO, and the chair of the Audit Committee meets with the CISO individually on a quarterly basis. These updates often address topics such as ongoing efforts to improve our cybersecurity posture, operational metrics, incident metrics, and mitigation actions, and may include key metrics such as those related to cybersecurity maturity, risk reduction, cybersecurity program health, and audit and compliance activities. The Audit Committee updates the Board on its activities at each regularly scheduled Board meeting. Risks related to cybersecurity events are provided to the Board on an annual basis as part of an overall ERM update. In addition to this regular reporting, significant cybersecurity risks may also be escalated on an as-needed basis through the company’s organizational structure in accordance with the IRP.
Management’s Role in Assessing and Managing Materials Risks from Cybersecurity Threats
Under the IRP, cybersecurity incidents are escalated based on a defined incident severity to management as appropriate. Management, including the CIO and CISO, is involved in assessing and managing our cybersecurity risks. The CISO reports to the CIO (who in turn reports to our Chief Financial Officer, who in turn reports to the CEO), and both the CIO and CISO participate in global leadership team meetings. With over 26 years of experience, including over three years with the company, the CIO has been recognized externally for his leadership in technology innovation in the industry, and provides strategic leadership for the company’s IT organization. The CISO has over 30 years of IT and cybersecurity experience in large biopharmaceutical, life sciences, financial and technology industries, including over ten years with the company, and is responsible for managing the security architecture, engineering, technology operations, monitoring, incident response, risk, governance, quality and compliance at the company.
32



The company’s Information Security function is comprised of teams that engage in a range of cybersecurity activities such as security operations, security engineering, data privacy controls, validation, compliance, and audit readiness. Leaders of each team are expected to collaborate to help increase visibility of key issues and alignment with strategy. As noted above, the company’s IRP includes standard processes for escalating significant cybersecurity incidents to management, including the CISO. The company’s incident response team also coordinates with external legal advisors, cybersecurity forensic firms, communication specialists, and other outside advisors and experts, as appropriate.