WEST PHARMACEUTICAL SERVICES INC - (WST)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company has implemented the Committee of Sponsoring Organizations (“COSO”) Enterprise Risk Management (“ERM”) Framework, which outlines the process by which an organization can view any risk by way of governance and culture, integration into strategy, risk assessments, reviewing capabilities and practices, and monitoring and reporting. This process would apply to the cybersecurity risk as it would any of the other enterprise risks. We follow the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) with layered security controls to help identify, protect against, detect, respond to, and recover from cyber-attacks. To safeguard our information assets, we have put various procedures and technologies in place. For example, our Cybersecurity Incident Response Plan clearly defines roles and responsibilities for the investigation of and response to information security incidents to minimize disruption of critical computing services and operations and prevent the loss or theft of sensitive or mission-critical information. Our plan covers various cyber incidents like ransomware attacks, cyber-intrusions, data loss, denial of service, insider threats, malware attacks, and others. In a material cybersecurity incident, our D&T team, inclusive of our Chief Information Officer and VP of Cybersecurity and Infrastructure Support, address the threat via established escalation procedures, roles, responsibilities, and communication. Any cybersecurity incident that is declared as a crisis would follow our global Incident and Crisis Response and Management Procedure, which includes escalation to the West Leadership Team and Board of Directors, as deemed necessary pending the materiality of the incident. We have not encountered cybersecurity challenges that have materially impacted our operations or financial condition. In addition, we retain an external cybersecurity consultant to assist with a cybersecurity event as needed and maintain appropriate cybersecurity liability insurance.
The Company also educates and shares best practices globally with its employees to raise awareness of cybersecurity threats. As part of our onboarding process, we train all new employees on cybersecurity and conduct an annual retraining of all employees on cybersecurity standards. Training also includes how to recognize, report and properly respond to phishing and social engineering schemes. Multiple phishing simulation exercises are conducted throughout the year to increase cybersecurity awareness. Our cybersecurity defenses also utilize technologies such as next generation firewalls, Zero Trust architecture, intrusion detection and prevention measures, anti-malware software, advance threat protection, multifactor authentication, network segmentation and encryption to ensure the security of West intellectual properties, customer and vendor data. In addition, we have a dedicated 24-by-7 Security Operations Center to facilitate the monitoring of the Company's cybersecurity landscape and associated applications.
Governance
Our approach to cybersecurity begins with our responsibility for strong governance and controls. Security begins at the top of our organization, where Company leadership consistently communicates the requirements for vigilance and compliance throughout the organization, and then leads by example. Our diligence and assessment extends beyond West, as the Company performs a cybersecurity assessment when third-party vendors and service providers are onboarded. Throughout the year, we monitor the effectiveness of our third-party vendors' and service providers' control environment, assessing any impact to our Company. The cybersecurity program is led by our Chief Information Officer and VP of Cybersecurity and Infrastructure Support, who provide quarterly updates to the Audit Committee of our Board of Directors, annual updates to the Board of Directors, and regular reports to the West Leadership Team about the program, including information about cyber risk management governance and the status of ongoing efforts to strengthen cybersecurity effectiveness. Additionally, our ERM function monitors cybersecurity risk and provides regular updates to the Audit Committee of our Board of Directors, annual updates to the Board of Directors, and regular reporting to the West Leadership Team on risk mitigation and response efforts. Security controls and processes are developed and maintained to protect sensitive and confidential information while ensuring availability and integrity.
23