BRISTOL MYERS SQUIBB CO - (BMY)

10-K Filing Date: February 13, 2024
Item 1C.CYBERSECURITY

Risk Management and Strategy

The Company manages cybersecurity risk as part of our overall enterprise risk management strategy, which is overseen by the Audit Committee and the Board. The Company employs robust cybersecurity and data privacy programs that are largely aligned to, among others, the U.S. National Institute of Standards and Technology Cybersecurity Framework to assess, identify and manage material risks from cybersecurity threats.

We are constantly evolving our cyber defenses to minimize impacts from cyber threats by using a multi-pronged approach that helps safeguard our assets and data. We are particularly focused on addressing emerging cybersecurity risks, including human risk, as phishing attacks remain one of the most common causes of data breaches; third-party supply chain risks, as threat actors continue to target supply chains to compromise a greater number of victims; and geopolitical risk, as tensions and conflicts around the world are often accompanied by an increase in sabotage, espionage and cyber attacks. As threat actors frequently target employees to gain access to information and systems, we have a comprehensive global human risk management program that educates our workforce on threats they face as a first line of defense, and includes elements addressing phishing, malware, data handling, device security, cybersecurity education, password security, internet browsing and defenses to physical threats. Our employees are exposed to data-driven cybersecurity awareness campaigns and training in order to keep pace with industry standards, evolving challenges and innovative solutions with respect to information security, data privacy, and cybersecurity risks to the organization. Additionally, we employ a multi-layered approach in our application of cybersecurity technologies to help safeguard our systems, networks, and data from potential cybersecurity threats. For companies that we acquire, our integration plans include, where appropriate, workable timelines for alignment on information security, data privacy, cybersecurity and employee education.

To support our preparedness, we have a cybersecurity incident response plan (“CIRP”) that we regularly update as business needs and the security landscapes change. In the event of a cybersecurity incident, our incident response team refers to our CIRP and existing management internal controls and disclosure processes. Pursuant to this process, designated personnel are responsible for assessing the severity of the incident and any associated threats, containing and resolving the incident as quickly as possible, managing any damage to the Company’s systems and networks, minimizing the impact on the Company’s stakeholders, analyzing and executing upon internal reporting obligations, escalating information about the incident to senior management, as appropriate, and performing post-incident analysis and program enhancements, as needed. We perform periodic tabletop exercises annually to test our incident response procedures, identify gaps and improvement opportunities and exercise team preparedness.

We engage with third parties to separately conduct cyber assessments on a recurring basis and assist with containment and remediation efforts. In addition, third-party technology and analytics are utilized to identify potential vulnerabilities. We recognize that third parties that provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To manage third-party risk, we maintain a third-party risk management program, which is designed to assess the security controls of our third parties. The assessment methodology is based on risk and relies on the data, access, connectivity, and criticality of the services that the third-party offers. As noted, we also conduct tabletop exercises to identify gaps in our supply chain resilience so we can implement improvements.

We maintain relationships with law enforcement, government agencies, forensic investigators, and legal counsel to inform our cybersecurity and data privacy programs.

As of December 31, 2023, and through the date of this filing, we are not aware of any material cybersecurity incidents that have impacted the Company. However, we have been the target of cyber attacks and expect them to continue as cybersecurity threats have been rapidly evolving in sophistication and becoming more prevalent in the industry. We face risks of incidents, whether through cyber attacks or cyber intrusions through the Cloud, the Internet, phishing attempts, ransomware and other forms of malware, computer viruses, email attachments, extortion, and other scams. Although we make efforts to maintain the security and integrity of our information technology systems, these systems and the proprietary, confidential and personal information that resides on or is transmitted through them, are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third-party vendors, will prevent breakdowns or incidents to our or our third-party vendors’ systems that could adversely affect our business. For a discussion of these risks, see “Item 1A—Risk Factors—Information Technology and Cybersecurity Risks—We are dependent on information technology and our systems and infrastructure face certain risks, including from cybersecurity incidents and data leakage.”

33


Governance

The Company’s cybersecurity and data privacy programs are implemented and overseen by the Company’s Chief Information Security Officer (“CISO”), the Executive Vice President, Chief Digital and Technology Officer, and senior management. The information security team responsible for managing and implementing the Company’s cybersecurity and data privacy programs has many years of valuable business experience managing risks from cybersecurity threats and data privacy breaches and developing and implementing cybersecurity and data privacy policies and procedures.

Our Audit Committee, which consists solely of independent directors, oversees the Company’s overall enterprise risk assessment and risk management policies and guidelines, including risks related to cybersecurity matters. Our Audit Committee reviews, discusses with management and oversees the Company’s information security and data protection programs. In particular, the Audit Committee receives periodic updates from the CISO, internal audit function and other members of management on significant cybersecurity and data privacy threats to our systems and the potential impact on the Company’s business, financial results, operations, and reputation, risk management strategies, including information governance and security policies and programs, program assessments, planned improvements, major legislative and regulatory developments that could materially impact the Company’s cybersecurity and data privacy policies and programs, and status of information security initiatives, including an appropriate threat assessment relating to information technology risks. After each such update, the Chair of the Audit Committee updates the full Board. The Board also receives similar cybersecurity updates directly from the CISO and other members of management at least annually, and as needed from time to time.

© 2024 Material-Incidents. All rights reserved.