Walgreens Boots Alliance, Inc. 10-K Cybersecurity GRC - 2024-10-15

Page last updated on October 15, 2024

Walgreens Boots Alliance, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-15 16:02:25 EDT.

Filings

10-K filed on 2024-10-15

Walgreens Boots Alliance, Inc. filed a 10-K at 2024-10-15 16:02:25 EDT
Accession Number: 0001618921-24-000084

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company recognizes the critical importance of safeguarding sensitive information and responding effectively to cybersecurity threats or incidents. As a part of the Company’s overall risk management strategy, the Company implements a lines-of-defense model for protecting the enterprise against cybersecurity related threats. The Chief Information Officer (“CIO”) has first line responsibility for the protection of the Company against cybersecurity related threats, which includes evaluating potential threats and determining the appropriate responses. The Chief Information Security Officer (“CISO”), who reports to the CIO, is the executive accountable for the monitoring, continuous development and improvement of the Company’s Information Security program. This program, which is aligned to the National Institute of Standards and Technology Cybersecurity Framework, (i) provides strategic oversight with respect to cybersecurity controls for the Company’s technology, (ii) identifies potential risks in the Company’s supplier ecosystem and (iii) outlines threat intelligence and incident response coordination for current and emerging cybersecurity risks. Additionally, the CISO and CIO continually evaluate and make updates to the Information Security program to align with regulatory requirements and industry best practices to keep company-wide training initiatives related to cybersecurity risks robust and up to date. As part of the second line of defense, the Company maintains a Technology, Risk and Compliance (“TRC”) function and a Company-wide Enterprise Risk Management (“ERM”) program for which the WBA Chief Ethics and Compliance Officer provides oversight. The TRC function is responsible for reviewing and updating the Company’s Information Security policy and manages compliance with critical security related regulatory requirements, including those related to HIPAA and the Payment Card Industry - Data Security Standard. The ERM program systematically identifies and reports enterprise-wide risks and the related risk mitigation recommendations, including the consideration of cybersecurity risk relative to other top risks, to executive management. The TRC and ERM teams work collaboratively with the Information Security team to support the Company’s risk mitigation efforts. The CISO partners closely with the Legal, Privacy and TRC teams, allowing for coordination with respect to policy design and providing domain expertise for incident response, as well as setting strategy. The CISO’s updates to the overall risk management strategy and policy incorporate real-time operating metrics from the Company’s technology environment as well as industry knowledge from team members and consultants, internal and external auditors, participation in professional peer networks, membership in Information Sharing and Analysis Centers, and commercial threat intelligence. Additionally, on a regular basis, the CISO briefs the CIO and other executive management committee members on emerging threats. The Company has established a comprehensive Data Security Event Plan (“DSEP”) which formalizes how the Company and management identify, investigate, respond to and report incidents involving unauthorized access to sensitive data. The DSEP is co-managed by the CISO, the Chief Privacy Officer and the Vice President of Technology Risk. The DSEP assists with establishing a repeatable process for management to identify the relative significance of incidents and defines internal and external reporting obligations. Response strategies are tailored to the circumstances of each incident, considering technical, business, legal and regulatory factors. Thorough documentation and data preservation are paramount throughout the investigation process. Once incidents are properly identified and assessed under the DSEP, communications are coordinated internally and escalated accordingly to the Audit Committee and the Board, as well as externally, to allow for timely dissemination of accurate information while adhering to legal and regulatory requirements. The Company engages outside experts as needed to supplement in-house expertise with industry-leading experts for incident response and recovery, digital forensics, penetration testing, and outside counsel specializing in cybersecurity matters. To mitigate cybersecurity risks and threats arising from the Company’s use of third-party service providers, the Company conducts proactive diligence on certain service providers’ information security programs to help meet the Company’s baseline cybersecurity standards as set by the CISO under the Information Security program. In evaluating cybersecurity incidents, management considers the potential impact to customer privacy as well as results of operations, controls, and financial condition, as well as the potential impact, if any, to the Company’s business strategy or reputation. As of the date hereof, we are not aware of any risks from cybersecurity threats, including risks from any past cybersecurity threats, that have materially affected our business or results of operations. However, future cybersecurity threats could materially affect us, including our business strategy, results of operations, or financial condition. For more information on risks associated with cybersecurity threats, see the risk factor titled “Cybersecurity, Data Privacy and Information Security Risks” in Item 1A-Risk factors. WBA Fiscal 2024 Form 10-K 35 Table of Co n tents Governance The Audit Committee, whose members include seasoned technologists and technology consultants, has been delegated responsibility for overseeing the Company’s management of strategy with respect to data, privacy and cybersecurity risks. The Audit Committee receives briefings from the CISO related to ongoing cybersecurity-related initiatives and cybersecurity risks, including emerging threats, at least quarterly. The Audit Committee then determines whether any such matters need to be presented to the full Board. Additionally, the Audit Committee regularly reviews and discusses with management, no less than annually, the Company’s enterprise risk assessment and key enterprise risks in connection with the larger ERM program, which includes matters related to information security and technology risks, including cybersecurity. The CISO also provides an update directly to the full Board no less than annually regarding the overall health of the cybersecurity program. The Company’s CIO and CISO have over 40 years of combined experience in technology leadership roles for large, multinational corporations, including extensive experience in enterprise cybersecurity strategy, policy, incident response and controls. WBA Fiscal 2024 Form 10-K 36 Table of Co n tents

Company Information