PFIZER INC - (PFE)

10-K Filing Date: February 22, 2024
ITEM 1C.
CYBERSECURITY
Managing cybersecurity risk is a crucial part of our overall strategy for safely operating our business. We incorporate cybersecurity practices into our Enterprise Risk Management (ERM) approach, which is subject to oversight by our BOD. Our cybersecurity policies and practices are aligned with relevant industry standards.
Consistent with our overall ERM program and practices, our cybersecurity program includes:
Vigilance: We maintain a global cybersecurity operation that endeavors to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing business disruptions.
External Collaboration: We collaborate with public and private entities, including intelligence and law enforcement agencies, industry groups and third-party service providers to identify, assess and mitigate cybersecurity risks.
Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include firewalls, intrusion prevention and detection systems, disaster recovery capabilities, malware and ransomware prevention, access controls and data protection. We continuously conduct vulnerability assessments to identify new risks and periodically test the efficacy of our safeguards through both internal and external penetration tests.
Education: We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity events.
Supplier Ecosystem Management: We extend our cybersecurity management control expectations to our supply chain ecosystem, as applicable. This includes identifying cybersecurity risks presented by third parties.
Incident Response Planning: We have established, and maintain and periodically test, incident response plans that direct our response to cybersecurity events and incidents. Such plans include the protocol by which material incidents would be communicated to executive management, our BOD, external regulators and shareholders.
Enterprise-Wide Coordination: We engage experts from across the Company to identify emerging risks and respond to cybersecurity threats. This cross-functional approach includes personnel from our R&D, manufacturing, commercial, technology, legal, compliance, internal audit and other business functions.

Pfizer Inc.
2023 Form 10-K
26


Governance: Our BOD’s oversight of cybersecurity risk management is led by the Audit Committee, which oversees our ERM program. Cybersecurity threats, risks and mitigation are periodically reviewed by the Audit Committee and such reviews include both internal and independent assessment of risks, controls and effectiveness.
Our risk assessment efforts have indicated that we are a target for theft of intellectual property, financial resources, personal information, and trade secrets from a wide range of actors including nation states, organized crime, malicious insiders and activists. The impacts of attacks, abuse and misuse of Pfizer’s systems and information include, without limitation, loss of assets, operational disruption and damage to Pfizer’s reputation.
A key element of managing cybersecurity risk is the ongoing assessment and testing of our processes and practices through auditing, assessments, drills and other exercises focused on evaluating the sufficiency and effectiveness of our risk mitigation. We regularly engage third parties to perform assessments of our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. Certain results of such assessments and reviews are reported to the Audit Committee and the BOD, as appropriate, and we make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews.
The Audit Committee oversees cybersecurity risk management, including the policies, processes and practices that management implements to prevent, detect and address risks from cybersecurity threats. The Audit Committee receives regular briefings on cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and considerations arising from our supplier ecosystem. The Audit Committee may also promptly receive information regarding any material cybersecurity incident that may occur, including any ongoing updates regarding the same. The Audit Committee periodically discusses our approach to cybersecurity risk management with our Chief Information Security Officer (CISO).
Our CISO is a member of our management team who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. The CISO works in coordination with other members of the management team, including, among others, the Chief Digital Officer, the Chief Financial Officer, the Chief Compliance and Risk Officer and the General Counsel and their designees. We believe our business leaders have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats.
Our CISO, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to cybersecurity incidents. Prompt response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the CISO monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the Audit Committee and other Pfizer colleagues in accordance with our cybersecurity policies and procedures, as is appropriate.
As of the date of this Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition at this time. For further discussion of the risks associated with cybersecurity incidents, see the Item 1A. Risk Factors—Information Technology and Security section in this Form 10-K.

© 2024 Material-Incidents. All rights reserved.