Medtronic plc 10-K Cybersecurity GRC - 2024-06-20

Page last updated on July 16, 2024

Medtronic plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-20 16:16:51 EDT.

Filings

10-K filed on 2024-06-20

Medtronic plc filed a 10-K at 2024-06-20 16:16:51 EDT
Accession Number: 0001613103-24-000072

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have designed and implemented a cybersecurity risk management program to help us identify, assess, and mitigate cybersecurity risks relevant to our business, based on the National Institute of Standards and Technology (NIST) Cyber Security Framework 2.0. Our cybersecurity risk management program includes: - dedicated cybersecurity professionals who analyze cybersecurity threats, define cybersecurity policy and requirements, implement protections, and monitor and respond to cybersecurity incidents, - cybersecurity regulatory based risk assessments for the Company’s systems and applications (where required), - a formal incident response plan, in which incidents are classified based upon the severity, impact, and the potential harm that can be caused by the incident, - annual information security training program for all employees, including phishing awareness training, - cybersecurity works closely with application development and infrastructure & operation teams to embed security considerations into the foundation of technology, - engagement of third-party service providers to conduct assessment of the Company’s cybersecurity risk management program, penetration testing, and vulnerability testing, - a third-party risk assessment process for service providers, suppliers, and vendors. In addition, given the smart technology within our devices, our product security includes design protocols and is supported by quality systems testing and use scanning tools to assess and detect vulnerabilities that could affect our products. Risks from cybersecurity threats are integrated into Medtronic’s enterprise risk management (ERM) program. The ERM program establishes a risk management framework that seeks to identify, assess, and mitigate risks that could materially impact the Company’s business and operation. To date, the Company is not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on the Company’s business or operations. However, despite our security measures, there can be no assurance that the Company, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. See Item 1A. Risk Factors under, “We rely on the proper function, security and availability of our information technology systems and data, as well as those of third parties throughout our global supply chain and our customer and payor base, to operate our business, and a breach, cyber-attack or other disruption to these systems or data could materially and adversely affect our business, results of operations, financial condition, cash flows, reputation or competitive position.” Governance The cybersecurity risk management program is led by the Chief Information Security Officer (CISO). Our CISO has over 28 years of experience assisting public and privately held companies in a variety of industries, leading several enterprise-wide transformation initiatives to adapt to changing cybersecurity threats. The CISO has held various executive level positions within Fortune 500 companies. Our CISO reports to the Chief Information Officer (CIO), who leads the Global Information Technology (IT) organization and works closely with the Executive Committee to guide strategic direction and IT decisions to drive business outcomes. Our Board of Directors is engaged in the Company’s ERM program and receives briefings on the outcomes of the ERM program and the steps the Company takes to mitigate risks that the program identifies. The Quality Committee of the Board oversees the Company’s cybersecurity strategies, systems, and controls to ensure reliability and prevent unauthorized access. The Audit Committee discusses policies with respect to risk assessment and risk management, including risks associated with the reliability and security of the Company’s information technology and security systems, and the steps management has undertaken to monitor and control such exposures. The Audit Committee receives regular updates on the Company’s cybersecurity risk management program from the CISO and CIO.

Company Information