INSULET CORP - (PODD)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
We manage cyber risk on a daily basis, as we face a multitude of threats ranging from ransomware and phishing attacks, business email compromise, and a wide array of other cyber-criminal tactics aimed at impacting our operations and compromising our sensitive information. Our customers, suppliers, subcontractors and partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. Accordingly, we have invested in resources (people, process, and technology) aimed at identifying, assessing, and responding to cyber threats.
Our Board of Directors (“Board”) oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure to our strategic objectives. While the Board reviews the Company’s cybersecurity program annually, the Nominating, Governance, and Risk Committee of the Board has primary responsibility for cybersecurity as part of its risk oversight mandate. The Nominating, Governance, and Risk Committee is scheduled to have regular updates on cybersecurity matters from our Chief Information Security Officer (“CISO”) and members of the CISO’s team at least two times per year. The CISO will discuss management’s actions to identify and detect threats and review the structure of and enhancements to the Company’s defenses as well as management’s progress on its cybersecurity strategic roadmap. The Nominating, Governance, and Risk Committee Chair reports back to the full Board after each Committee meeting, including information relating to the cybersecurity discussions.
Our Cybersecurity organization, which includes corporate and product security, is led by our CISO. Our CISO, reporting directly to our Chief Technology Officer (“CTO”), is responsible for developing and implementing our cybersecurity program, including setting the directional security strategy and continuous improvement plans for the overall security program. Our CISO has over a decade of experience as a leader of cyber-security and technology risk management programs in both healthcare and medical device manufacturing organizations. This experience is coupled with obtaining and maintaining multiple industry certifications, including Certified Information Systems Security Professional certifications (CISSP), and Certified Information Security Manager (CISM). The CTO ensures cyber-security measures are prioritized across research and development, software engineering, and our IT functions.
Assessing, identifying and managing cybersecurity-related risks are also integrated into our overall enterprise risk management (“ERM”) process. Cybersecurity-related risks are included in the risk universe that the ERM function evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity-related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM annual risk assessment is presented to the Board, with additional reporting during the year to the Nominating, Governance and Risk Committee.
We leverage the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to better manage and respond to cybersecurity risks in protecting our infrastructure and sensitive data. We have mapped our people, process, and technology in alignment with the categories defined in the NIST industry standard framework: Identify, Protect, Detect, Respond, and Recover. Additionally, Insulet’s information security management system is ISO 27001 and 27701 certified. For the sixth consecutive year, Insulet received re-certification from the ISO, which is the recognized standard for information security management and privacy best practices that adheres to the highest international data security standards.
We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. We maintain a cybersecurity risk register, and cybersecurity team leaders hold monthly meetings to discuss and prioritize risks as well as the status of any remediation activity. Key facets of our cybersecurity program include:
24/7 cyber monitoring. Our security operations center is located in multiple time zones to ensure around-the-clock coverage and timely threat detection and response.
External Threat Landscape Assessment. Our integrated privacy, legal, and security teams are continuously monitoring for any external threat that may impact our operations. Third-party threat intelligence feeds are leveraged to monitor Insulet’s digital footprint and activity that may cause brand damage.
Insider Risk Detection. We have targeted tools aimed at detecting insider threats and suspicious data movement.
Cloud and Vulnerability Management. To enhance cloud and data security, we reduce the attack surface by establishing secure defaults, implementing least privilege, and monitoring configurations continuously. As part of vulnerability and overall security posture management, we have a focused cross-functional team that meets regularly to address issues identified by security scans and security configuration checks to maintain hygiene of Insulet’s computing devices.
28

Table of Contents
Testing and Audits. Regular penetration testing, incident response tabletop testing, and audits are performed by trusted third-party security consultants. These final reports and gap analysis documents are logged into our risk register as appropriate.
Operating Technology (OT) Visibility. As a manufacturer of medical devices, OT is a vital component of our business operations. Interconnectedness between OT technology and other business critical IT infrastructure can create a material cyber risk. Insult deploys segmentation and OT-specific monitoring capabilities to mitigate and monitor this risk as our OT environment continues to expand to meet the needs of our business.
Vendor Management. Vendors and key partners are subject to Insulet’s Vendor Risk assessment process and subsequently monitored by our threat intelligence capability, which tracks our key vendors and suppliers.
Training and Culture. Training, awareness, and incorporating security into Insulet’s culture is key to reducing risk around common threats such as phishing. We have an operational information security training program for all employees. In addition to annual trainings, we have frequent “nanolearning” targeted trainings. These quick trainings encourage participation, provide constant reminders to our employees to be vigilant and give them the tools to recognize and protect against cyber threats. We also conduct phishing simulations to test effectiveness of our training program with the aim of reducing the percentage of employees who click on suspicious emails.
We are intensely focused on protecting the security of our products; our guiding principle of “secure by design” underlies all of our product development. We have a cybersecurity team embedded with our research and development group to deliver on this mission as well as a Product Cybersecurity Risk Management Policy which is aligned with FDA guidance. Omnipod DASH was the first FDA-cleared insulin pump certified under the Diabetes Technology Society’s “Standard for Wireless Diabetes Device Security” cybersecurity assurance standard and program, known as DTSec. This certification is a cybersecurity standard intended to raise confidence in the security of network connected medical devices through independent expert evaluation. Omnipod 5 incorporates cybersecurity by design principles, which includes secure data transfer between the Pod, Controller, cloud storage, and compatible continuous glucose monitors. Our Secure Software Development Lifecycle enforces application testing and continuous monitoring to identify security risks. Omnipod 5 is certified by ISO 27001 and the U.K. Cyber Essentials. Omnipod 5 incorporates authentication, encryption, and cybersecurity protection to ensure only trusted devices and authorized people can access the system.
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. Should a cyber incident occur, we have in place the Insulet Cybersecurity Incident Response Procedure (“CIRP”), which is designed to enable us to respond efficiently to any incidents. Pursuant to the CIRP, cybersecurity incidents are reviewed and rated by our CISO and his team. A cybersecurity incident rated at predefined risk levels will be escalated to CTO, the Chief Compliance Officer, and the General Counsel and assessed for materiality and disclosure to the CEO and the Board. Our internal Disclosure Committee would review any planned public disclosures or filings. CIRP provides the organizational and operational structure to respond to incidents that may affect the confidentiality, integrity or availability of our information systems.
We currently do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected the Company’s business strategy, results of operations, or financial condition. While Insulet maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity and other risks which may impact Insulet.