Zoetis Inc. - (ZTS)
10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity.
As a global leader in animal health, we are reliant on complex information systems and digital solutions that make us inherently vulnerable to malicious cyber intrusion and attack. In addition, we have been expanding our data and digital capabilities including in our diagnostics portfolio, and as a result, there could be an increased likelihood of a cyberattack or breach of security that could negatively impact us or our customers. Despite the presence of these risks, to date, the identified risks of cybersecurity threats (including as a result of any previous cybersecurity incidents) have not materially affected, and are not reasonably likely to materially affect, us or our business strategy, results of operations, or financial condition. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K.
Cybersecurity Program
As part of our risk management processes, we have an enterprise-wide cybersecurity program aligned to the NIST Cybersecurity Framework. Our program is a risk-based program designed to protect our information systems through multiple defenses and layers of security, commonly referred to as a “Defense in Depth” approach. Key elements of our program include:
Independent Third-Party Assessments
We engage an independent third party to conduct assessments of our cybersecurity program approximately every 18 months. This independent third-party assessment includes an evaluation of our cybersecurity controls based on the NIST Cybersecurity Framework.
Training
We have an information security training program that includes: monthly awareness articles, a phishing training program (with reports reviewed by the Executive Team), a Security Ambassador program for additional training and awareness for individuals in high risk roles, required and optional training modules in our Learning Management System, and quarterly security-focused podcasts.
Incident Response Procedure
We have a 24/7 managed Security Operations Center (SOC) for escalation of any critical events, including cybersecurity incidents. In the event of an incident, we use an Incident Response procedure leveraging NIST Standard 800-61 standards that we have customized for Zoetis. Additionally, we have in place disaster recovery and business continuity practices designed to provide for continuous business operations for our customers in the event of a cybersecurity incident. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured.
Third Party Onboarding
We depend on third parties and applications on virtualized (cloud) infrastructure to operate and support our information systems and have a third-party risk management program and assessment process for onboarding third parties.
Management’s Role in Risk Oversight
Our information security team includes our Executive Vice President, Chief Digital & Technology Officer; our Vice President, Chief Information Officer; and our Head of Technology Risk, Compliance and Chief Information Security Officer. Our Executive Vice President, Chief Digital and Technology Officer has over 20 years of information technology experience. She was the Chief Information Officer for key business units at an S&P 500 healthcare company, and was that company’s first Chief Information Security Officer, where she led the strategy and execution to secure products, devices, manufacturing systems and information across businesses. She holds a master’s degree in computer science and a master’s degree in business applications of information and technology. Our Vice President, Chief Information Officer has over 20 years of experience in technology and digital leadership roles at large public companies and holds a bachelor’s degree in information systems. Our Head of Technology Risk, Compliance and Chief Information Security Officer has over 20 years of experience in information security, and holds a bachelor’s degrees in computer science and biology.
We have established a cybersecurity governance program with clear roles for the executive management team as well as oversight by the Board of Directors and the Audit Committee. The Zoetis information security team provides regular cyber threat intelligence briefings to management and provides updates to our senior executives on the status of the Company’s security measures and our efforts to identify and mitigate risks from cybersecurity threats. The Zoetis information security team also works closely with the Zoetis Legal team, including the Chief Privacy Officer, to further enhance incident response procedures. For example, we have a corporate crisis management plan in place to govern our response to corporate crises, which could include cyber incidents, and we conduct periodic simulated programs to ensure readiness. This plan also includes a standard framework for categorization of incidents based on risk level and severity, and requires escalation to Zoetis senior management and/or the Audit Committee of the Board of Directors if certain severity levels are met.
Role of the Board of Directors and Committees
The Board of Directors maintains an active role in the oversight of material risks. The Board of Directors utilizes its various Committees to oversee certain key risks, and has delegated responsibility to the Audit Committee for oversight of the Company’s enterprise risk management process and information security risk management program. Management, with oversight from the Zoetis Board of Directors, is responsible for the Company’s assessment and management of exposure to risk. The Audit Committee of the Board of Directors is also responsible for oversight of compliance with disclosure requirements under applicable laws and regulations, and would be consulted prior to the disclosure of any material cybersecurity incident.
The Zoetis information security team regularly provides an information security dashboard to the Audit Committee, covering the most active and relevant threats to Zoetis, relevant trends, and any notable events. At least twice annually, the Zoetis information security team presents updates to the Audit Committee with respect to the information security program, including the status of our security measures and our efforts to identify and mitigate information security risks. The Audit Committee also regularly reviews certain data privacy and cybersecurity metrics as part of the compliance update presented to the Audit Committee.
28 |
In addition, the Chief Information Security Officer presents updates at least annually to the Board of Directors with respect to the information security program, including the results of our independent, third-party assessment. The Board of Directors also participates in annual table-top exercises involving simulated data security incidents and the Company’s responses to those incidents.