STRYKER CORP - (SYK)
10-K Filing Date: February 14, 2024
ITEM 1C.CYBERSECURITY.
RISK MANAGEMENT AND STRATEGY
We review cybersecurity risk as part of our overall enterprise risk management program. This ensures that cybersecurity risk management remains a top priority in our business strategy and operations.
MANAGEMENT'S ROLE IN MANAGING RISK
Primary management responsibility for assessing, monitoring and managing our cybersecurity risks rests with our chief information security officer ("CISO"). Our current CISO has over 30 years of experience in information technology including over 20 years in cybersecurity and oversees a team of cybersecurity professionals with over 140 security, risk, and compliance certifications. The CISO is regularly informed about recent developments in cybersecurity, including potential threats and innovative risk management techniques.
The CISO implements and oversees processes for the regular monitoring of our information systems. We use various tools and methodologies to manage cybersecurity risk that are tested regularly. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. In addition, we engage third-party consultants to conduct annual cybersecurity assessments and to conduct audits for compliance with regulatory, Sarbanes-Oxley Act, Service Organization Control Type 2 and International Organization for Standardization standards. We also engage third parties to assess our cybersecurity maturity and risk management programs.
We use a cross-departmental approach to addressing cybersecurity risk, with our cybersecurity, product security and legal teams presenting quarterly on key topics to a committee of leaders in finance, regulatory, and corporate affairs functions. This leadership committee meets quarterly to ensure that we have input and oversight from critical stakeholders into our cybersecurity program and evolving issues.
The CISO oversees a training and awareness program for employees to take part in protecting the Company against cybersecurity risks. We have implemented annual mandatory security education to help employees understand cybersecurity risks and comply with our cybersecurity policies. Additionally, we provide frequent communications around pertinent cybersecurity topics and policies to all employees. We also provide additional cybersecurity and data protection training to employees in certain roles.
As part of our cybersecurity risk management program, we also conduct cybersecurity and privacy assessments on all third parties who integrate with Stryker’s data, network, systems and products. We use a combination of internal and external tools to confirm that these third parties meet our security requirements. We leverage standard industry threat model and privacy impact assessment concepts to confirm that data minimization and adequate data protections are in place. We perform supplemental reviews as necessary, commensurate with the risk associated with each vendor.
Dollar amounts in millions except per share amounts or as otherwise specified. | 10 |
STRYKER CORPORATION | 2023 FORM 10-K |
In the event of a cybersecurity incident, we have an incident response plan that includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. The cybersecurity and product security teams routinely practice this plan with functions across the organization. We conduct tabletop exercises with senior management, during which we practice the procedures in place to ensure that potentially material cybersecurity risks and incidents are escalated to management and the Board of Directors where applicable.
GOVERNANCE
Cybersecurity risks are overseen by the full Board of Directors and the Audit Committee. The Audit Committee is central to the Board of Directors’ oversight of cybersecurity risks and bears the primary responsibility for overseeing cybersecurity risk. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major cybersecurity initiatives. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives.
Our CISO provides comprehensive updates to the Audit Committee quarterly and the full Board of Directors at least annually. These briefings include a range of topics, including:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events;
•Metrics demonstrating company and industry-standard prevention of common threats; and
•Regulatory changes impacting cybersecurity requirements and strategy.
The Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats and is actively engaged in our cybersecurity risk management strategy.
RISKS FROM CYBERSECURITY THREATS
Although cybersecurity risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we face numerous and evolving cybersecurity threats in our business. For more information about the cybersecurity risks we face, see the risk factor entitled "We, our business partners or our third-party vendors could experience a material failure or breach of a key information technology system, network, process or site" in Item 1A. Risk Factors.