JOHNSON & JOHNSON - (JNJ)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Risk management and strategy
The Company has documented cybersecurity policies and standards, assesses risks from cybersecurity threats, and monitors information systems for potential cybersecurity issues. To protect the Company’s information systems from cybersecurity threats, the Company uses various security tools supporting protection, detection, and response capabilities. The Company maintains a cybersecurity incident response plan to help ensure a timely, consistent response to actual or attempted cybersecurity incidents impacting the Company.
The Company also identifies and assesses third-party risks within the enterprise, and through the Company's use of third-party service providers, across a range of areas including data security and supply chain through a structured third-party risk management program.
The Company maintains a formal information security training program for all employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete mandatory training on data privacy.
To evaluate and enhance its cybersecurity program, the Company periodically utilizes third-party experts to undertake maturity assessments of the Company’s information security program.
To date, the Company is not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on the Company’s business or operations; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for the Company to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. Refer to the risk factor captioned An information security incident, including a cybersecurity breach, could have a negative impact to the Company’s business or reputation in Part I, Item 1A. Risk factors for additional description of cybersecurity risks and potential related impacts on the Company.
Governance - management’s responsibility
The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity controls designed to address cybersecurity threats and risks. The Chief Information Officer (CIO), who is a member of the Company’s Executive Committee, and the Chief Information Security Officer (CISO) are responsible for assessing and managing cybersecurity risks, including the prevention, mitigation, detection, and remediation of cybersecurity incidents.
The Company’s CISO, in coordination with the CIO, is responsible for leading the Company’s cybersecurity program and management of cybersecurity risk. The current CISO has over twenty-five years of experience in information security, and his background includes technical experience, strategy and architecture focused roles, cyber and threat experience, and various leadership roles.
Governance - board oversight
The Company’s Board of Directors oversees the overall risk management process, including cybersecurity risks, directly and through its committees. The Regulatory Compliance & Sustainability Committee (RCSC) of the board is primarily responsible for oversight of risk from cybersecurity threats and oversees compliance with applicable laws, regulations and Company policies related to, among others, privacy and cybersecurity.
RCSC meetings include discussions of specific risk areas throughout the year including, among others, those relating to cybersecurity. The CISO provides at least two updates each year to RCSC on cybersecurity matters. These reports include an overview of the cybersecurity threat landscape, key cybersecurity initiatives to improve the Company’s risk posture, changes in the legal and regulatory landscape relative to cybersecurity, and overviews of certain cybersecurity incidents that have occurred within the Company and within the industry.
2023 Annual Report | 17 |