ELI LILLY & Co - (LLY)
10-K Filing Date: February 21, 2024
Item 1C.Cybersecurity
Risk Management and Strategy
We manage cybersecurity threats as part of our oversight, evaluation, and mitigation of enterprise-level risks. We have based our cybersecurity program on industry frameworks with the goal of building enterprise resilience against an evolving landscape of cybersecurity threats and to respond to cybersecurity threats as they materialize. Our program includes monitoring, identification, assessment, and management components, as well as information and escalation components designed to inform management and the board of directors of prospective risks and developments.
Our information security program encompasses functions dedicated to both proactive and reactive management of cybersecurity threats. We implement our cybersecurity program internally through established policies, standards, reference architectures, and the use of enterprise security services that focus on emerging and ongoing cybersecurity risks. Our proactive management of cybersecurity risks entails many actions, including the maintenance of system access restrictions, utilization of data security technology, employee education and training initiatives, and retention of cyber liability insurance, among other measures. We regularly engage third-party auditors and consultants and leverage our internal audit function to assess various facets of our cybersecurity program. These engagements include completion of industry-standard assessments or certifications, maturity model reviews, threat simulations, as well as internal reviews to assess the effectiveness of our cybersecurity processes. We also maintain enterprise-wide processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. As examples, we generally review current and prospective third-party service providers for unacceptable cybersecurity risks, negotiate contractual provisions that require the establishment of third-party cybersecurity controls, and deploy communications security measures to protect third-party communications.
We assess cybersecurity contingencies within our overall business continuity risk management planning process. Our Information Security team utilizes various tools to prevent, detect, monitor, and react to cybersecurity threats. Our Incident Response Playbook outlines processes, roles, responsibilities, engagements, escalations, notifications, and other communications applicable to the assessment, mitigation, and remediation of realized cybersecurity events. The nature and assessed risk of a realized cybersecurity event dictates the pace and extent of relevant processes, escalations, and communications, including an evaluation of any necessary or required disclosure. Roles and escalation paths range from within the Information Security team up to the Executive Committee, and the board of directors and its committees, as appropriate.
We describe risks faced by us from identified cybersecurity threats in Item 1A, "Risk Factors—Risks Related to Our Operations— Failure, inadequacy, breach of, or unauthorized access to, our IT systems or those of our third-party service providers, unauthorized access to our confidential information, or violations of data protection laws, could each result in material harm to our business and reputation", "Risk Factors—Risks Related to Our Operations—Manufacturing, quality, or supply chain difficulties, disruptions, or shortages could lead to product supply problems" and "Risk Factors—Risks Related to Our Operations—Reliance on third-party relationships and outsourcing arrangements could adversely affect our business."
36
Governance
Management, under the supervision of our Chief Information Security Officer (CISO), is directly responsible for assessing and managing cybersecurity risks and otherwise implementing our cybersecurity program, which includes our Incident Response Playbook. The CISO reports directly to our Chief Information and Digital Officer (CIDO), who is a member of our Executive Committee and leads our information technology, cybersecurity, digital health, and advanced analytics and data science functions. Our CIDO in turn regularly updates our Executive Committee on cybersecurity matters. Our CISO and CIDO have significant experience managing global cybersecurity threats across the pharmaceutical, technology, entertainment, and defense industries. In addition to providing regular updates to the CIDO and his staff, the CISO is a member of our Executive Information Security Governance function (EISG), which meets regularly and is also composed of executive and senior leadership from a variety of functions, including information security, legal, finance, audit, and ethics and compliance to assess and manage cybersecurity developments and risks and our internal programs. Each of the CIDO, the CISO and the EISG may call upon business and legal stakeholders across our company to manage cybersecurity threats and incidents.
The audit committee of our board of directors is responsible for oversight of the company's programs, policies, procedures, and risk management activities related to information security and data protection. The audit committee meets regularly with our CIDO and CISO to discuss threats, risks, and ongoing efforts to enhance cyber resiliency, as well as changes to the broader cybersecurity landscape. In addition, the ethics and compliance committee supports the audit committee and board in oversight of legal and regulatory compliance. Our board of directors also regularly participates in presentations on cybersecurity and information technology. In addition to regular presentations, management promptly updates our board of directors regarding significant threats and incidents as they arise.