VERTEX PHARMACEUTICALS INC / MA - (VRTX)

10-K Filing Date: February 15, 2024
ITEM 1C.CYBERSECURITY
Risk Management and Strategy
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to maintain the security, confidentiality, integrity, and availability of our business systems and confidential information, including personal information and intellectual property. Our cybersecurity program includes systems and processes for assessing, identifying and managing material risks from cybersecurity threats and include maintenance and monitoring of information security policies aligned with global regulatory controls; user and employee awareness of cyber policies and practices; information systems configuration management; third-party risk management systems; identity and information asset protection; infrastructure security systems; and cyber threat operations with continuous monitoring and threat hunting. This program includes processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers. We also engage a range of third-party experts in connection with various development, implementation, and maintenance activities related to our cybersecurity program.
Our cybersecurity program is integrated into our overall risk management systems, including our annual enterprise risk management program, internal audit program, business continuity and crisis management programs, third-party risk management program, insurance risk management program, and employee compliance programs. As part of our overall risk management program, we maintain a global insurance portfolio with comprehensive cyber coverage. Our Chief Information Security Officer (“CISO”) and the Information Security function advises, consults with, or provides input to each of these programs to ensure that material risks from cybersecurity threats are appropriately assessed, identified, and managed.
As of the date of this report, there have been no cybersecurity threats that have materially affected or are reasonably likely to materially affect our business, operations, or financial condition.
Governance
While our board of directors has oversight responsibility for risk management generally, the Audit and Finance Committee (“Audit Committee”) is specifically responsible for overseeing our cybersecurity risk management program to ensure that cybersecurity risks are identified, assessed, managed, and monitored. Our CISO provides periodic updates to the Audit Committee in this regard, and covers the state of our cybersecurity program, supported by key performance indicators across the range of cybersecurity functions related to risk management and governance, identity and information asset protection, core security and endpoint security, and cyber threat operations. These updates include descriptions of cybersecurity incidents of interest, including those associated with our third-party service providers; the board will be informed promptly of material risks from cybersecurity threats.
We strive to create a culture of cybersecurity resilience and awareness and believe that cybersecurity is the responsibility of every employee and contractor. At the same time, primary responsibility for assessing, monitoring, and managing our cybersecurity risks lies with our CISO, Michael Daly. Mr. Daly has more than 35 years of experience in security and information systems and spent 25 years with Raytheon Technologies, most recently as Chief Technology Officer of Cybersecurity, Special Missions, Training & Services. Mr. Daly supported the U.S. President's National Security Telecommunications Advisory Committee for more than 20 years, is a member of the Massachusetts Cybersecurity Strategy Council, and is Chair of the Kogod Cybersecurity Governance Center at American University. Formerly, he served on the Rhode Island Homeland Security Advisory Board and was a member of various commercial cyber product councils.
Mr. Daly oversees a team of skilled cybersecurity professionals who have Certified Information Systems Security Professional (“CISSP”) credentials, Global Information Assurance Certification from the SANS Institute, and other security and network certifications. The cybersecurity team monitors and evaluates our cybersecurity posture and performance on an ongoing basis, including through regular vulnerability scans, penetration tests, and threat intelligence feeds. The cybersecurity team uses various tools and methodologies to manage cybersecurity risk that are tested on a regular cadence,

62


and assesses and evaluates cybersecurity incidents, escalating certain cybersecurity incidents to Mr. Daly according to protocol. Mr. Daly is continually informed regarding the performance of the cybersecurity program, as well as the latest developments in cybersecurity, including potential threats and innovative risk management techniques.