GE HealthCare Technologies Inc. - (GEHC)

10-K Filing Date: February 06, 2024
ITEM 1C. CYBERSECURITY

CYBERSECURITY RISK MANAGEMENT.

GE HealthCare employs practices, processes, and procedures to proactively and comprehensively manage risks, including risks related to cybersecurity, through its enterprise risk management (“ERM”) program. We aim to identify material cybersecurity risks via multiple strategies, including user and external reporting, audit and assessment activities, and technology programs. We utilize risk identification and risk mitigation strategies.

Risk identification begins with understanding the devices and equipment in use across the company, including laptops and other data devices, industrial equipment and machinery, and associated risks related to the use of those devices and equipment.
Risk mitigation entails protecting our data and operational systems via a system of controls. We monitor and collect data about the devices and users that touch our network resources, reviewing this data for anomalies. When we identify anomalies, we investigate to determine if the anomaly represents a threat. We have a process to contain and remediate identified threats. As discussed further below, we have incident response processes in place to utilize in case of threats or incidents. We conduct regular crisis simulations.

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our ERM assessment program as well as our cybersecurity-specific risk identification program, as discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data, or facilities that house such systems or data, and monitor cybersecurity threat risks identified through such diligence.

We have a dedicated team of cyber professionals who report to our Chief Information Security Officer (“CISO”). This team publishes information technology and security policies, measures compliance, and operates a program to mitigate risks and threats. Our risk mitigation activities include network segmentation, cyber protection and containment, detection and reaction, and recovery. This team operates to decrease the risk of cyber incidents having a material impact. We measure our programs against the National Institute of Standards and Technology Cyber Security Framework and regularly test our controls and incident response plans.

We maintain incident response plans that guide our activities in preparing for, detecting, responding to, and recovering from cybersecurity incidents. These plans cover the range of activities we undertake in connection with responding to cybersecurity incidents, including assessment, investigation, containment, remediation, and mitigation, as well as compliance with legal obligations including any necessary regulatory reporting.

As part of these processes, we regularly engage with assessors, consultants, auditors, and other third parties to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.

We describe whether and how cybersecurity-related risks could materially affect our business under the heading “Increased cybersecurity requirements, vulnerabilities, threats, and more sophisticated and targeted computer crimes pose a risk to our systems, networks, products, solutions, services, and data, as well as our reputation, which could adversely affect our business” under Item 1A. “Risk Factors.”


44


CYBERSECURITY GOVERNANCE.

Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Audit Committee of our Board is responsible for the oversight of cybersecurity-related risks. The Audit Committee regularly receives reports from management on our cybersecurity threat risk management and strategy processes, including on topics such as our data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, incident response plans, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to these risks. The Audit Committee received reports from our Chief Information Officer (“CIO”) and/or CISO four times in 2023.

Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CISO. The CISO works closely with the CIO, Chief Privacy Officer (“CPO”), and other members of the legal team who report to the General Counsel to review the cybersecurity program while monitoring global data protection regulations and cyber security laws. The CISO, CIO, and CPO, collectively, have over 35 years of work experience in various roles involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. Our CISO is currently a board member for the National Technology Security Coalition, a non-profit, non-partisan trade association serving as the voice of CISOs to help improve national cybersecurity and has served on the board of advisors of many security technology companies.