BOSTON SCIENTIFIC CORP - (BSX)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
We rely on information technology (IT) and operational technology (OT) systems, including technology from third party vendors, to manufacture and ship our products, as well as to process, transmit and store electronic information in our day-to-day operations. We have established a security program and processes to assess, identify and manage cybersecurity risks related to our IT and OT systems, as well as our products. Our global cybersecurity organization is led by our chief information security officer (CISO), who reports directly to our chief information officer (CIO) and under the organization of our chief information and digital officer (CIDO). Our current CISO has extensive information technology experience, including in security architecture, software development and engineering, as well as leading security operations and incident response, offensive and defensive cyber projects in increasing roles of responsibility. He also previously held Certified Information Systems Security Professional (CISSP) and GIAC Certified Forensics Analyst certifications. Our current CIDO has extensive experience overseeing information technology and security programs, including roles of increasing leadership within our Information and Digital organizations over the last ten years, and prior to that in increasing roles of responsibility managing information systems, including over 18 years at General Electric. Our current CIDO holds CISSP and other IT certifications.
Our enterprise cybersecurity program is designed to monitor and continually enhance our enterprise security posture, with the goal of preventing cybersecurity incidents to the extent feasible, including assessments to better understand our readiness for cybersecurity threats and the resilience of our critical business functions, with the goal of avoiding or reducing the impact if such an event were to occur. We have implemented cybersecurity policies mapped to industry and government standards and frameworks, such as U.S. National Institute of Standards and Technology (NIST) and International Standard of Organization (ISO). Our cybersecurity strategy and maturity is aligned to the NIST-Cybersecurity Framework (NIST CSF). This framework provides us a structured approach to managing our cybersecurity risk through its five core functions: Identification of digital assets, their risks, and business context; Protection, by implementing safeguards such as firewalls, network segmentation, and email security; Detection: through monitoring for anomalies and potential threats on the network, endpoints and data; Response, by having up to date incident response plans and skilled teams in place, including utilizing a crisis committee to respond in the event of a cybersecurity incident; and Recovery, achieved through ensuring data and system backups as well as testing our disaster recovery procedures. We also regularly review our cybersecurity policies and require annual cybersecurity training for our employees. Our product cybersecurity focus begins with our design protocols and is supported by quality testing, provider education, and packaging and distribution standards. We use penetration testing to simulate cyberattacks and better understand our exploitable weaknesses, and we monitor threat intelligence feeds, including avenues for product users to report vulnerabilities directly to us, and use scanning tools to detect and assess vulnerabilities that could affect our products. In addition, we conduct product, enterprise and vendor/third party risk assessments, vulnerability assessments and analyses to gain insights into potential vulnerabilities and their impact on critical functions, and leverage their outcomes to prioritize our security investments and balance our resource allocation.
We use third party security providers for specialized areas such as incident response, penetration testing, and on-demand cybersecurity services, including staff augmentation and consulting. We also leverage a managed security service provider to augment our cybersecurity organization and to provide additional monitoring and response capabilities.
We engage and rely upon third parties to provide services and/or goods, represent and or otherwise act on our behalf. Prior to engaging or conducting any business with or on our behalf, such parties undergo a due diligence review, and a third party security risk assessment is conducted to validate they are legally permitted and qualified to maintain appropriate safeguards to protect our information assets in connection with the services they intend to provide.
Assessing, identifying, and managing cybersecurity related risks are integrated into our enterprise risk management (ERM) program. Cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the Company on an annual basis. Risks are discussed with appropriate members of management, who manage risk coverage, monitoring and reporting in the relevant risk function, including our cybersecurity program, and incorporate those activities as part of developing our strategic plan. The ERM program’s annual risk assessment is presented annually to our Board of Directors and the Risk Committee of the Board.
Our Board of Directors oversees an enterprise-wide approach to risk management, including cybersecurity risks. While the Board has the ultimate responsibility for risk oversight, each committee of the Board also oversees risk to the extent it relates to the committee’s responsibilities and provides reports to the Board in its respective area of responsibility. The Risk Committee
33
of our Board also focuses on an enterprise-wide approach to risk management, and has primary oversight responsibility for areas of quality and nonfinancial compliance issues, including cybersecurity risks. The Risk Committee receives periodic updates from the CISO and CIDO on our cyber risks and threats, assessments of our cybersecurity program and the evolving threat landscape. Our Board of Directors also receives annual updates on such cybersecurity matters, or more frequently as appropriate under the procedures described below. Our Board and Risk Committee also receive cybersecurity risk assessments as part of the annual ERM program presentation described above.
We have established controls and procedures to escalate enterprise level issues, including cybersecurity matters, to the appropriate management levels within our organization and our Board of Directors, or members or committees thereof, as appropriate. Under our framework, cybersecurity issues, including those involving vulnerabilities introduced by our use of third-party software, are analyzed by subject matter experts, including a crisis committee as needed in accordance with our incident response plans, for potential financial, operational, and reputational risks, based on, among other factors, the nature of the matter and breadth of impact. Matters determined to present potential material impacts to our financial results, operations, and/or reputation are immediately reported by management to the Board of Directors, or individual members or committees thereof, as appropriate, in accordance with our established escalation framework. In addition, we have established procedures to help ensure that members of management responsible for overseeing the effectiveness of disclosure controls are informed in a timely manner of known cybersecurity risks and incidents that may materially impact our operations and that timely public disclosure is made, as appropriate.
Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. For additional information, see Item 1A. “Risk Factors” for a discussion of cybersecurity risks that we face.