MCKESSON CORP - (MCK)
10-K Filing Date: May 07, 2024
Item 1C. Cybersecurity.
Risk Management and Security
As a diversified healthcare services leader that is dedicated to advancing health outcomes for patients everywhere, cybersecurity risk management is integral to our enterprise risk management strategy. Our management, with involvement and input from external consultants and oversight from our Board of Directors (“Board”), performs an annual enterprise-wide risk assessment (“ERA”) to identify key existing and emerging risks. One of the principal risks identified and assessed through this process is cybersecurity, which remains a key focus for the Company, management, and our Board.
Our Cybersecurity Incident Response Plan (“Response Plan”) provides a framework for responding to cybersecurity incidents. The Response Plan governs activities such as preparation, detection, coordination, eradication, recovery, and appropriate escalations to the Company’s senior management, disclosure committee, Board, and relevant Board committees. The Response Plan is routinely reviewed and updated as appropriate under the leadership of our Chief Information Security Officer (CISO).
Enterprise-wide cybersecurity and privacy training continue to serve an important role in risk reduction and protection of the Company and our stakeholders. We require periodic access-based and role-based privacy and cybersecurity training, which is updated to reflect changes in the threat environment, assessment or audit findings, laws, and regulations. We also engage and educate employees through cybersecurity and privacy awareness programs and communication campaigns.
We also engage internal and external assessors, consultants, auditors, and other third parties, to identify opportunities for improvements to our cybersecurity program. We manage cybersecurity risks associated with third parties, including vendors, service providers, and external users of our systems. This includes conducting due diligence on the third parties we use, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems, and by using contracts to reinforce their cybersecurity obligations.
25
McKESSON CORPORATION
We develop and maintain systems and operate programs that seek to mitigate the impact of cybersecurity incidents. In the face of sophisticated and rapidly evolving attempts to overcome our security measures, we must continually monitor and update these systems and programs. Both intentional and unintentional occurrences have caused, and could cause in the future, a variety of adverse business impacts to our information systems and data. See “Risk Factors” in Item 1A of Part I above for additional information on risks related to our business, including for example, risks related to privacy and data protection, cybersecurity incidents, third-party relationships, and continuity of our information systems and networks, operational technology, and technology products or services.
Governance
Our joint Chief Information Officer and Chief Technology Officer (CIO/CTO) leads management’s assessment and management of cybersecurity risk with the assistance of the Company’s CISO who reports to the CIO/CTO. The CIO/CTO reports to our CFO, is a member of the Executive Operating Team, and provides updates to that group about cybersecurity matters. Our CIO/CTO has more than 28 years of experience managing technology and risks and advising on cybersecurity issues and our CISO has more than 20 years of relevant experience, is a Certified Information System Security Professional (CISSP), and a Certified Information Systems Auditor (CISA).
Cybersecurity is among the risks identified by our ERA for Board-level oversight. The Audit Committee of the Board has oversight of information technology controls related to financial reporting, while the Compliance Committee of the Board has oversight of technology-related risk, including privacy and cybersecurity. The Audit Committee and Compliance Committee meet jointly at least annually to review cybersecurity risks and programs, and they are updated as needed on cybersecurity threats, incidents, or new developments in our cybersecurity risk profile. The chairs of the Audit Committee and Compliance Committee provide updates to the Board after each committee meeting. The CIO/CTO and CISO provide regular updates to the Board, Audit Committee, or Compliance Committee about material risks from cybersecurity threats. The CIO/CTO or CISO also provide regular updates to the Board, Audit Committee or Compliance Committee about cybersecurity trends and regulatory updates, data governance and usage, technology infrastructure, our training and compliance efforts, and implications for our business strategy. External consultants also periodically update the Board on cybersecurity trends and developments.
In addition to the information provided in these meetings, members of our Board have access to continuing education, which includes topics relating to cybersecurity risks.