Catalent, Inc. 10-K Cybersecurity GRC - 2024-09-06

Page last updated on September 6, 2024

Catalent, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-06 17:23:51 EDT.

Filings

10-K filed on 2024-09-06

Catalent, Inc. filed a 10-K at 2024-09-06 17:23:51 EDT
Accession Number: 0001596783-24-000087

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have established an enterprise cybersecurity program to assess, identify, and manage cybersecurity risks with the aim that our information systems, including those of our vendors and other third parties, will be resilient, effective, and capable of safeguarding against emerging risks and cybersecurity threats. Our cybersecurity program is aligned with the NIST-Cybersecurity Framework (NIST CSF v2), which provides a structured approach to inform, design, and evaluate our program. Consistent with this framework, we have established cybersecurity policies, standards, and processes designed to manage cybersecurity risks, including risks from cybersecurity threats associated with the Company’s use of third-party service providers. Key elements of our cybersecurity program include: employee cybersecurity training, including required annual certification; identification of potential vulnerabilities through external threat intelligence feeds, scanning of our technology environment, and vendor and third-party risk assessments; an incident response plan and team that is intended to allow rapid management, response, and appropriate communication of cybersecurity incidents; and a cybersecurity operations center with support from a third party managed service provider (MSSP) to respond to threats and incidents. When a potential threat or incident is identified, our cybersecurity incident response team will assign a risk level classification and initiate the escalation and other steps called for by our plan. All incidents that are initially assessed by the cybersecurity incident response team as potentially high-risk are escalated promptly to our chief information security officer (CISO) and chief information officer (CIO). Our CISO, CIO, and key leaders will determine whether and what elements of our cybersecurity incident response plan should be activated, including escalation to our Executive Committee and/or members of our Board of Directors as appropriate, considering a variety of factors, including financial, operational, legal or reputational impact. Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are 45 reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. For additional information, please refer to the discussion under the heading, “We use advanced information and communication systems to run our operations, compile and analyze financial and operational data, and communicate among our employees, customers, and counterparties, and the risks generally associated with information and communications systems could adversely affect our results of operations. We continuously work to install new, and upgrade existing, systems and provide employee awareness training around phishing, malware, and other cyber security risks to enhance the protections available to us, but such protections may be inadequate to address malicious attacks or inadvertent compromises affecting data security or the operability of such systems” included in Item 1A. Risk Factors of this Annual Report on Form 10-K, which disclosure is incorporated by reference herein. Cybersecurity Governance We are committed to appropriate cybersecurity governance and oversight. Our cybersecurity organization is led by our CISO, who reports directly to our CIO and under the organization of our chief financial officer (CFO). Our CISO is educated in computer information systems and has over 20 years of experience in leadership, management, and engineering roles in the technology and cybersecurity realms. Our CISO also has experience implementing cybersecurity programs in alignment with the NIST Cybersecurity Framework. Our CIO is educated in computer science and has over 25 years of experience in leadership, management, and consulting roles in applications, digitalization, and infrastructure with oversight responsibilities for cybersecurity. Our Board of Directors oversees management’s processes for identifying and mitigating enterprise-wide risks, including cybersecurity and related information technology risks. Our Audit Committee receives updates from our CIO and CISO on our technology and cybersecurity program and receives independent external expert evaluations of our program using industry frameworks, including the NIST-Cybersecurity Framework. Our Audit Committee also receives cybersecurity updates and education on a broad range of topics, including: current cybersecurity landscape trends and emerging threats; the status of cybersecurity initiatives; incident reports and learnings from any material cybersecurity events; and any pertinent cybersecurity regulatory requirements and industry expectations. 46

Company Information