AbbVie Inc. - (ABBV)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
We rely on complex information technology systems and various software applications to operate our business. We have developed a comprehensive cybersecurity program designed to protect our systems and the confidentiality, integrity and availability of our data.

We have implemented processes that are intended to assess, identify, manage and reduce cybersecurity risks. We maintain a global incident response plan and disaster recovery management plan, each designed to protect against, identify, evaluate, respond to and recover from an incident. These plans anticipate an array of potential scenarios and provide for the assembly of a cybersecurity incident response team in the event of a cyber incident. The incident response team is a cross-functional group that may be composed of both company personnel and external service providers, and which is tailored to a particular incident so that individuals with appropriate experience and expertise are available. We regularly conduct exercises to help ensure the plans’ effectiveness and our overall preparedness.

We also have invested in tools and technologies to protect our and our patients', customers' and business partners' data and information technology, and we regularly monitor our information technology systems and infrastructure to identify and assess cybersecurity risks. We have designed a Threat Intelligence function that actively looks for risks that target the pharmaceutical industry generally or AbbVie specifically. We rely in part on third parties (including assessors, consultants, advisors and others) in connection with our processes for assessing, identifying, managing and reducing cyber risks.

In addition, we have implemented a cybersecurity awareness program designed to educate and train our entire employee network on how to identify and report cybersecurity threats. Training programs are conducted on a periodic basis and are focused on giving employees tools to manage and defend against the most relevant and prevalent cybersecurity risks to AbbVie. We also provide specialized training for employees in specialized information technology roles. We conduct regular drills, such as tabletop exercises, to help with our overall preparedness.

We take measures to regularly update and improve our cybersecurity program, including conducting independent program assessments, penetration testing and scanning of our systems for vulnerabilities. We follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework and undergo a third-party assessment every two years to measure the maturity of our cybersecurity program against the NIST Cybersecurity Framework. In addition, we periodically engage third-party advisors to assess the effectiveness and capabilities of our cybersecurity program, strengthen our cybersecurity policies and practices and identify potential vulnerabilities of our systems.

With respect to third-party service providers, our information security program includes conducting due diligence of relevant service providers’ information security programs prior to onboarding. We also contractually require third-party service providers with access to our information technology systems, sensitive business data or personally identifiable
25
Image3.gif | 2023 Form 10-K

information to implement and maintain appropriate security controls and contractually restrict their ability to use our data, including personally identifiable information, for purposes other than to provide services to us, except as required by law. To oversee the risks associated with these service providers, we work with them to help ensure that their cybersecurity protocols are appropriate to the risk presented by their access to or use of our systems and/or data, including notification and coordination concerning incidents occurring on third-party systems that may affect us. These relevant service providers are contractually required to notify us promptly of information security incidents that may affect our systems or data, including personally identifiable information. While we conduct due diligence on the security and business controls of our third-party service providers and take steps to monitor their compliance with our security requirements, we may not have the ability in all cases to effectively monitor or oversee the implementation of these control measures.

As of December 31, 2023, cybersecurity risks have not materially affected our business, strategy, results of operations, or financial condition. Although we have invested in the protection of our data and information technology and monitor our systems on an ongoing basis, there can be no assurance that such efforts will in the future prevent material compromises to our information technology systems that could have a material adverse effect on our business. We maintain cybersecurity insurance coverage to mitigate our financial exposure to certain incidents. For additional information about our cybersecurity risks, see Item 1A, "Risk Factors - AbbVie depends on information technology and a failure of, or significant disruption to, those systems could have a material adverse effect on AbbVie's business."

Our board of directors has risk oversight responsibility for AbbVie and administers this responsibility both directly and with assistance from its committees. Each of the committees periodically reports to the board of directors on its risk oversight activities. Cybersecurity is a critical component of our enterprise risk management program, which is designed to be business aligned, risk-focused and multi-faceted to protect our and our patients', customers' and business partners' data. Our board of directors is actively involved in reviewing our information security and technology risks and opportunities (including cybersecurity) and discusses these topics on a regular basis.

The Audit Committee, comprised solely of independent directors, oversees our enterprise risk management program and assists the board of directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), which are fully integrated into our enterprise risk management program. The Audit Committee reviews and discusses our information security and technology risks (such as cybersecurity), including our information security and risk management programs.

Our cybersecurity program is led by our Chief Information Security Officer, who is responsible for assessing and managing our information security and technology risks (including cybersecurity). He has more than 25 years of experience in information security and information technology risk management, holding chief information security officer positions with Fortune 500 companies in the retail, healthcare and life sciences industries. He has also served on the Health-ISAC board of directors and is a Certified Information System Security Professional (CISSP).

Our Chief Information Security Officer meets regularly with our information technology teams as well as other members of management to review and discuss our cybersecurity and other information technology risks and opportunities. Our global incident response plan sets forth a detailed security incident management and reporting protocol, with escalation timelines and responsibilities.

The Audit Committee receives regular updates from the Chief Information Security Officer and other members of management on our cybersecurity program, including on information security and technology risks, program assessments, and risk management practices. Our Chief Information Security Officer also provides similar topical updates to the full board of directors at least annually.

2023 Form 10-K | abbvieimage3.gif
26