ABBOTT LABORATORIES - (ABT)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Abbott’s cybersecurity risk management process is designed to identify and assess internal and external cybersecurity threats and vulnerabilities to and within Abbott’s business and operations, and analyze and prioritize risks from cybersecurity threats to inform strategies and action plans aimed at mitigating and managing these risks.
Abbott’s cybersecurity program utilizes a variety of technical and process controls that are designed to identify, protect against, detect, respond to, and recover from cybersecurity threats, including:
dedicated cybersecurity professionals who are responsible for analyzing cybersecurity threats, defining cybersecurity policy and requirements, implementing protections, and monitoring and responding to cybersecurity incidents;
periodic cybersecurity awareness training for relevant employees and contractors on Abbott policies and emerging cybersecurity threats, including phishing awareness training;
internal and third party cybersecurity testing, including penetration testing of Abbott’s information systems and hardware;
15

Table of Contents
cybersecurity risk assessments for Abbott’s systems and applications;
cybersecurity monitoring and response processes intended to identify, assess, escalate, investigate, contain, and remediate incidents; and
disaster recovery plans.
In addition, risks from cybersecurity threats are integrated into Abbott’s enterprise risk management (ERM) program. The ERM program establishes a risk management framework that seeks to identify and assess risks that could materially impact Abbott’s business and operations.
As part of Abbott’s cybersecurity program, Abbott regularly engages with assessors and third party advisers to perform various services, including assessments of process design and operating effectiveness; security testing and attestation; periodic assessment of enterprise cybersecurity maturity; industry benchmarking; and thought leadership related to continuous improvement of processes, training, technology, and data.
Abbott’s cybersecurity program also aims to identify and assess cybersecurity risks associated with its use of third party service providers with access to Abbott’s systems and data, as well as such third party service providers’ adherence to certain cybersecurity standards and processes. As appropriate, Abbott requires such third party service providers to agree to be subject to cybersecurity evaluations by Abbott.
A discussion of how Abbott’s business, results of operations, and financial condition could be materially adversely affected by risks from cybersecurity threats is contained in Item 1A. Risk Factors under “Abbott depends on sophisticated information systems and maintains protected personal data, and a significant cybersecurity incident or other disruption affecting these information systems or protected personal data could have a material adverse effect on Abbott’s business, financial condition and results of operations."
Governance
The board of directors has risk oversight responsibility for Abbott, which it administers directly and with assistance from its committees. Throughout the year, the board and its committees engage with management to discuss a wide range of enterprise risks.
The audit committee assists the board of directors in fulfilling its oversight responsibilities with respect to ERM, including risks from cybersecurity threats, and the steps management has taken to monitor and mitigate those risks. The audit committee receives reports semiannually from Abbott’s Chief Information Officer (CIO) and Chief Information Security Officer (CISO) on Abbott’s cybersecurity strategy and program. In addition, the audit committee conducts an annual review of the ERM process, including the program structure, risk assessment, and risk mitigation.
The public policy committee assists the board of directors in fulfilling its oversight responsibility with respect to product cybersecurity, and receives reports at least annually on this topic from the CIO and CISO.
The CISO leads Abbott’s cybersecurity strategy and program and its cybersecurity and privacy incident response team that is responsible for monitoring the detection of cybersecurity incidents and executing Abbott’s cybersecurity incident response process, as needed. Pursuant to the process, the team is responsible for the investigation and resolution of cybersecurity incidents, including reporting to an Abbott senior management-level committee on detection, mitigation, and remediation of significant cybersecurity incidents. The CISO reports to the CIO, who has overall responsibility for the cybersecurity program and organization.
Abbott has two cross-functional senior management-level committees that assess Abbott’s material risks from cybersecurity threats – one that oversees Abbott’s cybersecurity program and another that oversees the cybersecurity incident response process.
The CISO has extensive technology work experience, having served in various roles in risk management, including information security audit and assessments, developing cybersecurity strategy/programs for enterprise and product security, and cybersecurity operations focused on identification, mitigation and response to cybersecurity threats. The CISO has also held leadership positions in several health sector industry organizations developing cybersecurity standards and best practices.
The CIO has extensive technology work experience at S&P 100 companies overseeing and executing technology strategies in complex, global, highly matrixed environments. The CIO provides executive leadership on technology strategy, policy, and capabilities across the Abbott enterprise.
16

Table of Contents