CARDINAL HEALTH INC - (CAH)
10-K Filing Date: August 14, 2024
| Cybersecurity | ||||||||
Cybersecurity
Cybersecurity Risk Management
We identify, assess, and manage risks related to cybersecurity through documented policies, standards, and procedures as part of our overall approach to cybersecurity, which is a component of our wider enterprise risk management program. Our approach to detection, mitigation, remediation, and prevention of cybersecurity risks utilizes a range of measures including, among other elements: benchmarking to generally accepted industry standards and frameworks, such as the National Institute of Standards and Technology cybersecurity framework; use of periodic tabletop exercises to promote awareness and improve internal processes; periodic penetration testing; a dedicated staff of cybersecurity professionals; and implementation of security measures and policies intended to identify as well as assist in containing and remediating cybersecurity risks. We maintain cybersecurity incident response, disaster recovery, and business continuity plans that govern activities such as preparation, detection coordination, remediation and recovery, and escalation to senior management and, where appropriate, relevant committees of the Board. These plans are routinely reviewed under the leadership of our Chief Information Security Officer ("CISO"). We also maintain mandatory employee cybersecurity and privacy compliance awareness training requirements, which are supplemented by employee engagement campaigns.
We utilize third parties to assist with, and assess the effectiveness of, our cybersecurity posture, in addition to supporting incident response and mitigation where necessary. We identify and assess third party risks associated with suppliers and service providers across a range of areas, including cybersecurity, through a third-party risk management process that incorporates, among other features, the use of risk assessments and, where appropriate, contractual requirements around evaluations, security, technology, service levels, and other terms.
To date, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Cardinal Health. However, the scope and impact of any future incident cannot be predicted. For more information, please see Item 1A “Risk Factors” for the risk factor entitled “Our business and results of operations could be adversely affected if we experience a material cyber-attack or other systems breach.”
Governance
Our CISO, in coordination with our Chief Information Officer (“CIO”) to whom the CISO reports, leads our approach to assessing and managing cybersecurity-related risks. Our CISO has over twenty-five years of experience in information technology (“IT”), with twenty years in IT risk management, compliance, and information security, as well as a background in leading technical infrastructure teams and roles supporting business operations.
As part of management’s oversight of our cybersecurity program, we maintain an IT risk governance process that includes multiple levels of escalation from our IT Risk Advisory Board, which meets
on a monthly basis and whose membership includes the CISO and IT functional area leadership, to an executive-level committee to help address cybersecurity risks at an enterprise level.
While the company’s Board oversees our overall risk management process, as part of its oversight, the Board has delegated certain responsibilities to committees of the Board. The Audit Committee of the Board has primary responsibility for discussing with management cybersecurity and other major IT risk exposures and management’s steps to monitor and control such exposures. In coordination with the Audit Committee, the Risk Oversight Committee of the Board monitors Cardinal Health’s compliance with applicable legal and regulatory requirements, including with respect to data privacy and security. Our Audit Committee receives quarterly updates from the CISO and CIO and the Board receives at least annual cybersecurity updates. Among other items, these updates cover a range of matters relevant to our cybersecurity program, including: the threat environment and related business risks; the state, priorities of, and investments in our cybersecurity program; the availability of cyber insurance; review of certain cybersecurity incidents that have occurred within the company and the industry; and relevant cybersecurity operational metrics.
Cardinal Health | Fiscal 2024 Form 10-K | 43 | |||||||
| Properties and Legal Proceedings | ||||||||
Properties
In the United States, at June 30, 2024, the Pharmaceutical and Specialty Solutions segment operated one national logistics center and a number of primary pharmaceutical and specialty distribution facilities. The GMPD segment operated medical-surgical distribution, assembly, manufacturing and other operating facilities in the United States.
At June 30, 2024, our GMPD segment also operated manufacturing facilities in Canada, Costa Rica, the Dominican Republic, Germany, Ireland, Japan, Malaysia, Malta, Mexico, Puerto Rico and Thailand.
Our Other Operating Segments operated facilities throughout the United States.
Our principal executive offices are headquartered in an owned building located at 7000 Cardinal Place in Dublin, Ohio.
We consider our operating properties to be in satisfactory condition and adequate to meet our present needs. However, we regularly evaluate operating properties and may make further additions and improvements or consolidate locations as we seek opportunities to expand or enhance the efficiency of our business.