TANDEM DIABETES CARE INC - (TNDM)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and patient and customer data (“Information Systems and Data”).
Our information security function is led by our Vice President, Cybersecurity (our “Information Security Team”), and is supported by our Chief Technology Officer, our Chief Legal, Privacy and Compliance Officer and legal department, our Vice President, Head of Information Technology, and our cybersecurity incident management team. Our Information Security Team is tasked with identifying, assessing and managing our cybersecurity threats and risks. It identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including: the use of manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting risk assessments, coordinating with law enforcement concerning threats, conducting internal and external audits and threat assessments for internal and external threats, obtaining third party threat assessments, conducting vulnerability assessments to identify vulnerabilities, and tabletop incident response exercises.
Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including an incident response policy, vulnerability management policy, disaster recovery and business continuity plan, vendor risk management program, programs for incident detection and response, encrypting certain data, network security controls, data segregation, asset management tracking and disposal, penetration testing, employee training, access controls, physical security controls, systems monitoring, a dedicated cybersecurity officer; and cybersecurity insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, the Information Security Team works with other members of management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. Additionally, our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Cybersecurity and Data Privacy Oversight Subcommittee (the “Privacy and Security Subcommittee”) of the Nominating and Corporate Governance Committee, as well as our Board of Directors, the latter of which evaluates our overall enterprise risk.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including professional services firms, including legal counsel; cybersecurity consultants; cybersecurity software providers; managed cybersecurity service providers; penetration testing firms; and forensic investigators.
55
We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations, contract manufacturing organizations, distributors and supply chain resources. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes requiring certain vendors to complete security questionnaires, conducting risk assessments for certain vendors, reviewing security assessments, conducting security assessment calls with certain vendor security personnel, and imposing information contractual obligations on the vendor. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors in Part I, Item 1A of this Annual Report, including in the section titled “Risks Related to Privacy and Security.”
Governance
Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The Privacy and Security Subcommittee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity management processes are implemented and maintained by our Information Security Team, in consultation with members of our cybersecurity incident management team. Our cybersecurity incident management team is led by our Vice President, Cybersecurity and includes our Chief Human Resources Officer, Vice President, Privacy, senior personnel from our legal, finance, and relevant business departments (the “Incident Management Team”). Our Vice President, Cybersecurity brings extensive experience in software development, IT, and cyber security, gained in over two decades in the telecommunications, financial services, defense, and healthcare sectors. Notably, he spent the last four years at a medical device company focused on insulin delivery, where he successfully established the product security program and played a pivotal role in obtaining clearance for its flagship product line.
As the leader of our Information Security Team, our Vice President, Cybersecurity, is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, requesting and allocating budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response policy and security incident handling procedure are designed to escalate certain cybersecurity incidents to members of management who are part of the Incident Management Team. The Incident Management Team works to help mitigate and remediate cybersecurity incidents of which they are notified. In addition, the cybersecurity incident response policy and security incident handling procedure include escalating certain cybersecurity incidents to our disclosure committee and, if appropriate, to the Privacy and Security Subcommittee.
The Privacy and Security Subcommittee meets periodically, and receives regular reports from our Vice President, Cybersecurity and, as appropriate, other members of the Information Security Team concerning any significant cybersecurity threats and risk and the processes we have implemented to address them. The Privacy and Security Subcommittee also receives various reports, summaries or presentations related to cybersecurity threats, risk and mitigation, generally. The Privacy and Security Subcommittee provides regular reports to the Nominating and Corporate Governance Committee of significant matters related to the Privacy and Security Subcommittee’s responsibilities, and the Nominating and Corporate Governance Committee together with the VP, Cybersecurity in turn provide regular reports to our Board of Directors on such significant matters.
56