UNITED THERAPEUTICS Corp - (UTHR)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
We have implemented a cybersecurity program consistent with industry practices to assess, identify, and manage risks from cybersecurity threats that may result in adverse effects on the confidentiality, integrity, and availability of our networks, systems, and data.
Governance
Board of Directors
Our board of directors has delegated the primary responsibility to oversee risks related to cybersecurity matters to our Audit Committee. Our Audit Committee regularly receives reports and presentations on data privacy and security, which address relevant cybersecurity issues, and which can span a wide range of topics, including but not limited to, recent developments, evolving standards, vulnerability assessments, review of risks from third parties such as customers, service providers, and suppliers, and the current threat environment. These reports and presentations are provided by senior personnel with responsibility for IT security, including our Security, Risk and Compliance Director (SRC Director) and our Chief Information Officer. Our board, through its interactions with our Audit Committee chair and our SRC Director and Chief Information Officer receives periodic updates regarding cybersecurity risk matters and prompt and timely information regarding significant cybersecurity incidents and our response to such incidents.
Management
At the management level, our Corporate Crisis Management Team (CCMT) is comprised of senior representatives from all key business functions, including finance, operations, and legal, and has broad oversight of our risk management processes. The CCMT has global responsibility for corporate crisis management, policy guidance, and training for employees involved in crisis management at all levels. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A—Risk Factors, which should be read in conjunction with this Item 1C—Cybersecurity.
Internal Cybersecurity Team
Our Incident Management Team (IMT) is led by our SRC Director, who serves as the point of contact for all IT security related matters within our Company, and also includes our Chief Information Officer. Our IMT is responsible for the implementation, monitoring, and maintenance of the cybersecurity and data protection practices across our Company. Our SRC Director is responsible for ensuring the regular review and maintenance of the Computer Security Incident Response Plan (CSIRP) and the execution of all procedures within it. Our SRC Director has technical leadership experience and cybersecurity expertise gained from over 25 years of experience, including security leadership, program development, strategy formulation, data protection, and IT risk management within the health care, pharmaceutical, and biotechnology industries. The security professionals in the IMT have cybersecurity backgrounds and expertise relevant to their roles, including, in certain circumstances, relevant industry certifications. In addition to our internal cybersecurity capabilities, we also have engaged outside experts to assist with assessing, identifying, and managing cybersecurity risks. The IMT meets as necessary to discuss, investigate, and respond to any cybersecurity incidents, to allocate resources to respond to incidents, and to confirm incidents are appropriately documented. We have protocols by which the IMT escalates certain cybersecurity incidents within our Company and, where appropriate, the IMT will notify appropriate stakeholders and our Audit Committee and provide updates on the status of the incident. A number of experienced employees responsible for various parts of our business and a team of trained cybersecurity professionals assist our SRC Director and the IMT. A number of internal teams, including our Operations Infrastructure Team, Operations End User Computer Team, Operations Engineering Team, Security, Risk and Compliance Team, Operational Technology Team, and Application Administrators and certain external vendors (together, the Incident Response Team Members), collectively with the IMT, form the Incident Response Team (IRT), which investigates and responds to privacy or cybersecurity incidents.
Risk Management and Strategy
We manage cybersecurity risks through a robust enterprise risk management process. These policies and practices follow the National Institute of Standards and Technology (NIST) cybersecurity framework. Our cybersecurity program encompasses the IMT and its policies, platforms, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats, including third-party risk from vendors and suppliers. Our program includes various policies, procedures, and plans related to cybersecurity, including the CSIRP, Corporate Crisis Management Plan, Crisis Communications Response Plan, Organizational Resiliency Governance Policy and Framework, and Business Continuity Plans. These plans outline a coordinated approach for protecting information security, managing vulnerabilities, and assessing, identifying, and managing risks from cybersecurity threats, including identifying and responding to cybersecurity incidents, and processes for
2023 Annual Report
49



categorizing incidents, reporting findings, and keeping senior management, our Audit Committee, and other key stakeholders informed and involved as appropriate.
The CSIRP applies to all Company employees and workforce members and provides processes and procedures to properly identify and handle incidents that may affect the safety and/or security of Company resources. The CSIRP covers all potential or realized privacy or security incidents, and is applicable to all Company campuses, divisions, business units, systems, devices, and materials.
In general, our incident response process involves five phases:
Identify— in which we gather an understanding of how to manage our cybersecurity risks to our systems, assets, data and capabilities, including through threat modeling, cybersecurity threat intelligence from industry-recognized forums and sources, internal audits, third-party reviews and assessments, vulnerability scans and penetration tests;
Protect— in which we implement controls and safeguards to protect or deter cybersecurity threats, including through firewalls, VPNs, identity and access management and intrusion prevention systems;
Detect— in which we engage in continuous monitoring to provide proactive and real-time alerts of cybersecurity-related events;
Respond— in which any threats are timely reported to responsible teams, and triaged for purposes of preliminary classification and escalation, and assessment for possible notification and disclosure requirements; and
Recover— in which business continuity plans are implemented, vulnerabilities are identified and mitigated, legal obligations and risks are identified, and our systems are returned to operational readiness.
We have developed a Testing, Training, & Exercise (TT&E) program in accordance with NIST Special Publication 800-84, in which all members of the IRT are required to participate, to sustain and refine our ability to handle computer security incidents in accordance with best practices. The TT&E program includes testing of procedures, systems, and plans, training for the IRT, and tabletop exercises. We also conduct required periodic phishing simulation tests for all employees.
For the response phase of an incident, after the SRC Director or the designated alternate IRT leader receives notification of any potential or realized privacy or security incident, the SRC Director or the designated alternate IRT leader makes an initial severity classification and determines if it is appropriate to convene the IRT, the members of which will be based on the nature and severity of the incident. The IMT has general authority and responsibility for incident response, which includes allocating resources to respond to incidents and providing the appropriate reports and statuses to senior management through the office of the CIO. The Incident Response Team Members support the IMT in these efforts.
We also employ processes designed to identify and reduce the potential impact of a security incident at a third-party vendor or otherwise implicating the third-party technology and systems we use.
We maintain a cyber liability insurance plan underwritten by multiple insurance companies, which provides protection against certain potential losses arising from cybersecurity incidents.
Impact of Cybersecurity Risk
To date, we have not been subject to any cybersecurity incidents that, individually or in the aggregate, have had a material impact to our operations or financial condition, although we recognize that cyberattacks impacting our networks or systems may have a material adverse effect on our operations in the future, as discussed in our Part I, Item 1A—Risk Factors. We do not have reason to believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, are reasonably likely to materially affect our business, reputation, operations, or revenue over the long term.