BIOGEN INC. - (BIIB)

10-K Filing Date: February 13, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT AND STRATEGY
We maintain a technology and cybersecurity program, which includes information security, as part of our overall risk management process with the aim that our information systems, including those of our vendors and other third-parties, will be resilient, effective and capable of safeguarding against emerging risks and cybersecurity threats. We endeavor to assure our program is appropriately resourced and to attract and retain expert talent to execute it.
In designing, operating, evaluating and maintaining our program we use internal and external resources and frameworks, including cybersecurity expert consultants, industry working groups, the U.S. NIST Cybersecurity Framework and the U.S. Cybersecurity Agency's National Cyber Incident Scoring System model to benchmark, inform and evaluate the design of our program, our operational capabilities and our program maturity.
Consistent with NIST 800-53, our technology and cybersecurity program and controls include a third party and vendor risk management component. As part of our vendor risk management program, we conduct security assessments prior to engagement of high-risk vendors and other third-party providers and have a monitoring program to evaluate ongoing compliance with our cybersecurity standards.
54

Table of Contents
A key element of our technology and cybersecurity program strategy is fostering training and awareness. Our training and awareness program includes annual cybersecurity awareness training and role-based phishing tests for our employees and for third parties with access to our systems.
Our technology and cybersecurity program focuses on the defense, rapid detection and rapid remediation of cybersecurity threats and incidents. Our program includes systems and processes designed based on defense-in-depth and zero-trust architectural principles and that are intended to provide the control capabilities set forth in NIST's 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations. Our program also includes cybersecurity policies and a crisis response and management plan that is intended to allow rapid management and response and appropriate communication of cybersecurity threats and incidents.
We staff a cybersecurity operations center to respond to threats and incidents. Our cybersecurity crisis management plan sets forth the items, procedures and actions we expect to address and follow in the event of a cybersecurity incident, including detection, response, mitigation and remediation. In addition to the cybersecurity operations center and our designated cybersecurity response team, we maintain a cross-functional cybersecurity crisis core team, which includes our CISO and senior representatives from our Legal, Finance, IT and Corporate Security teams.
When a potential threat or incident is identified, our cyber security incident response team will assign a risk level classification and initiate the escalation and other steps called for by our plan. All incidents that are initially assessed by the cybersecurity incident response team as potentially high-risk are escalated promptly to our CISO. Our CISO, Chief Legal Officer and Chief Financial Officer, will determine whether and what elements of our cybersecurity crisis response and management plan should be activated, including escalation to other senior management or our Executive Committee. Our Executive Committee will inform our Board of Directors of cybersecurity incidents, as appropriate, considering a variety of factors, including financial, operational, legal or reputational impact.
Our program's maturity and operational readiness are regularly evaluated by independent experts using the U.S. NIST's CyberSecurity Framework and penetration tests. Our program, and the results of these independent evaluations and testing, are regularly reviewed by our senior management and members of our Board of Directors.
CYBERSECURITY RISK GOVERNANCE
We are committed to appropriate cybersecurity governance and oversight. Our technology and cybersecurity program is the principal responsibility of our Chief Information Officer and CISO, each of whom have over 20 years of experience in information systems, including cybersecurity training and experience. Additionally, we have a Cybersecurity steering committee that includes senior representatives from our Legal, Finance and IT departments, which meets regularly to discuss cybersecurity matters.
Our Board of Directors oversees management's processes for identifying and mitigating risks, including cybersecurity and information security risks. Our Audit Committee of our Board of Directors regularly reviews our technology and cybersecurity program and effectiveness, internal audits of our program, independent external expert evaluations of our program's maturity and operational readiness and the results of penetration testing. Our Audit Committee also receives regular cybersecurity updates and education on a broad range of topics, including:
Current cybersecurity landscape and emerging threats;
Status of ongoing cybersecurity initiatives and strategies;
Incident report and learnings from any cybersecurity events; and
Compliance with regulatory requirements and industry standards.
For additional information on our cybersecurity risks, please read Item 1A. Risk Factors - A breakdown or breach of our technology systems could subject us to liability or interrupt the operation of our business, included in this report.