Edwards Lifesciences Corp - (EW)

10-K Filing Date: February 12, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Our Information Security team manages Edwards’ Information Security Program, which is focused on assessing, identifying, and managing cyber risk and information security threats. We evaluate cybersecurity risk on an ongoing basis, and it is a risk monitored through our overall enterprise risk management program, including by the executive leadership and the board of directors, described below under "Governance."

To proactively manage cybersecurity risk in our organization, our management team has instituted an Edwards Information Technology Security Policy that is available to all employees through the employee handbook and on our intranet. We also conduct regular cybersecurity awareness and training campaigns for existing employees. Internal and external stakeholders can access the Edwards Integrity Helpline 24/7 online or by phone, to report any security incidents for escalation. We also disclose information about our product security and provide relevant contact information for our stakeholders to report any product vulnerabilities.

To proactively identify, mitigate, and prepare for potential cybersecurity incidents, we maintain both a business continuity plan and cyber incident response plan with formalized workflows and playbooks. We periodically conduct simulation exercises involving employees at various levels of the organization. We also periodically engage external partners to conduct annual audits of our systems, and test our IT infrastructure. Through these channels and others, we work to proactively identify potential vulnerabilities in our information security system. We recognize that we are exposed to cybersecurity threats associated with our use of third-party service providers. To minimize the risk and vulnerabilities to our own systems stemming
21


from such use, our Information Security team identifies and addresses known cybersecurity threats and incidents at third-party service providers on a continuous basis. In addition, we strive to minimize cybersecurity risks when we first select or renew a vendor by including cybersecurity risk as part of our overall vendor evaluation and due diligence process.

We have not had previous cybersecurity incidents that have materially affected us. Our risks associated with cybersecurity threats are set forth under “Risk Factors” in Part I, Item 1A in this report.

Governance

Our Board of Directors and our Audit Committee oversee our enterprise-wide risk management, including with respect to cybersecurity. Our Chief Financial Officer presents information on our enterprise-wide risks to the Board of Directors at each of its regularly scheduled meetings. Our SVP, Enterprise Risk Management presents to our Board of Directors and our Audit Committee at least once a year on our significant enterprise-wide risks as well as our enterprise-wide risk program. In addition, our Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO”) present to the Audit Committee at each regularly scheduled Audit Committee meeting on information technology infrastructure as well as risks related to cybersecurity and information security.

The oversight of our cybersecurity program at the management level rests with the Executive Leadership Team (“ELT”) who has designated the CISO to lead and execute on the cybersecurity program. The CISO provides regular updates to the executive leadership team, including the CEO, on our cybersecurity program and cybersecurity risks. Our cybersecurity leaders have extensive experience in cybersecurity, including in consulting and corporate roles at Forbes 100 companies and experience leading security incident detection and response, security architecture, and strategy programs.

Finally, management has instituted our Information Security Council and Enterprise Risk Management Council both of which are made up of senior leaders of the Company. The Information Security Council is tasked with overseeing information security matters at Edwards, including cybersecurity. This council serves as an escalation point for issues requiring concerted action, and in turn, informs executive management regarding information security and cybersecurity risks and issues. The Enterprise Risk Management Council is tasked with proactive management of our enterprise-wide risks, including information security risks that also include cybersecurity. This council is responsible for assessing, and providing input into, the enterprise risks that are presented to the Board of Directors.


22