Cencora, Inc. 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

Cencora, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 14:45:55 EST.

Company Summary

Cencora is a global healthcare company that advances the development and delivery of pharmaceuticals and healthcare products. (Source: Crunchbase)

Filings

10-K filed on 2024-11-26

Cencora, Inc. filed a 10-K at 2024-11-26 14:45:55 EST
Accession Number: 0001140859-24-000177

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As one of the largest global pharmaceutical sourcing and distribution services companies engaged in helping both healthcare providers and pharmaceutical and biotechnology manufacturers, we are exposed to various cybersecurity threats. These threats include both those typical of companies operating in many industries, like ransomware and denial-of-service attacks, as well as more sophisticated and persistent threats from highly organized adversaries that specifically target the healthcare sector and other critical infrastructure. Our suppliers, third-party vendors, service providers, customers, and other business partners (collectively, our “third-party business partners”) are also vulnerable to similar cybersecurity risks, and any cyber incident affecting us and/or our third-party business partners could significantly disrupt our operations. In light of these risks, cybersecurity is a priority for the Company, management, and our Board of Directors (the “Board”), and we believe that it is essential for us to invest substantial resources in our cybersecurity efforts. Risk Management and Strategy Cybersecurity risk management is integral to our enterprise risk management strategy. Our management, with involvement and input from external consultants and advisors, and oversight from our Board, regularly performs an enterprise-wide risk assessment to identify key existing and emerging risks. To oversee cybersecurity risk at the management level, we employ a Chief Data and Information Officer (“CDIO”) and a Chief Information Security Officer (“CISO”). The CDIO is responsible for the global data landscape and IT systems across our business units, including information security. The CISO leads our Information Security team. The CISO and his team are responsible for administering our comprehensive, company-wide information security program, which includes strategy, regulatory intelligence, IT risk management, policy development, security engineering, cyber threat detection, response, and operations. Our information security program is based upon, informed by, and responsive to industry best practice frameworks such as HITRUST CSF and ISO 27001. Our program undergoes an internal annual review that is conducted by our CISO, as well as an annual third-party external review. Additionally, we leverage a diverse array of internal and external assessors, consultants, auditors, and other third parties to identify opportunities for improvements to our information security program through methods such as penetration testing, independent audits, and consulting on best practices to address emerging risks and challenges. These assessments encompass evaluations of both the design and operational effectiveness of our security measures. Additionally, we are a member of H-ISAC, an industry cybersecurity intelligence and risk-sharing organization, which enables us to stay informed about developments, trends, and risks in the cybersecurity threat landscape and consider any necessary updates to our information security program related thereto. We are committed to employing cybersecurity best practices and have obtained and maintain multiple industry best practice cybersecurity certifications such as ISO 27001and SOC1/SOC2. Under the leadership of our CDIO and CISO, and with oversight, as appropriate, from the Board’s Audit Committee, we have developed a Cybersecurity Incident Response Process (the “Response Process”), which sets forth a detailed and comprehensive framework for the actions to be taken in response to a cybersecurity incident and includes appropriate escalations to the Company’s senior management, including our ECCRT (as defined below), and the Board. Under the guidance of our CISO, the Response Plan is routinely evaluated and updated as appropriate. In addition to our Response Plan, which is employed in the event of a cybersecurity incident, we take preventative measures that are designed to mitigate the likelihood and prevalence of cybersecurity incidents. For example, we believe that enterprise-wide cybersecurity and privacy training serve an important role in risk reduction. Accordingly, we require employees to complete periodic access-based and role-based privacy and cybersecurity training. These trainings are routinely updated to reflect changes in the threat environment, assessment, and/or audit findings, laws, and regulations. We also engage and educate employees through cybersecurity and privacy awareness programs and communication campaigns. We recognize that our cybersecurity risk profile extends beyond our organization. As such, we strive to manage cybersecurity risks associated with our third-party business partners and external users of our systems. Our third-party business partner risk management program is built upon, informed by, and responsive to industry best practices. This program is designed to conduct appropriate due diligence on the third-party business partners with whom we engage and conduct business, as well as on the systems and the cybersecurity controls of such third-party business partners. Specifically, to evaluate third-party cybersecurity controls, we utilize third-party cybersecurity monitoring and alerting tools, cybersecurity due diligence questionnaires, and request and review third-party audit reports and assurance certifications if they exist. Our information systems have been subject to cybersecurity incidents in the past, including the incident disclosed in February 2024 relating to certain exfiltrated data. The incident has not had a material impact on the Company’s operations and, as previously disclosed, we do not believe that the incident is reasonably likely to materially impact our financial condition or results of operations. However, there is no guarantee that future cybersecurity incidents will not have a material impact. Despite our comprehensive approach to cybersecurity, we may not be able to prevent or mitigate a cybersecurity incident that could materially impact our business, results of operations, or financial condition. While we hold cybersecurity insurance, the expenses associated with cybersecurity threats or disruptions may not be completely covered by our policy. See “Risk Factors” in Item 1A of Part I above for additional information on risks related to our business, including for example, risks related to privacy and data protection, cybersecurity incidents, third-party relationships, and continuity of our information systems and networks, operational technology, and technology products or services. Board Governance and Management As described above, our CDIO leads management’s assessment and management of cybersecurity with the assistance of our CISO, who reports directly to the CDIO and meets with the CDIO on a regular basis to discuss pertinent risks, mitigation factors, remediation status, and risk acceptance. The CDIO, who reports directly to our President and Chief Executive Officer, is a member of the Executive Leadership Team (the “ELT”) and provides updates to the ELT about cybersecurity matters. Our CDIO has more than 25 plus years of experience managing technology and risks and advising on cybersecurity issues, and our CISO has more than 25 plus years of IT and relevant cybersecurity experience. Additionally, we have established the Extended Cyber Crisis Response Team (“ECCRT”). The ECCRT is a cross-functional incident response team comprised of senior leaders from across the various departments of the organization that, in the event of a cyber incident, helps lead the decision-making process for the execution of containment and recovery processes and incident communications, including reporting to senior management and, in turn, the Board, as appropriate, in each case in accordance with the protocols set forth in our Response Process. Cybersecurity is among the risks identified by our Enterprise Risk Management Team for Board-level oversight. While the full Board retains overall oversight over cybersecurity, the Board has delegated to its Audit Committee oversight of the Company’s information technology security program and the controls around cybersecurity and to its Compliance and Risk Committee oversight of an enterprise risk management program that is designed to assist with monitoring and mitigating operational risks. The Audit Committee and Compliance and Risk Committee meet every quarter. The Audit Committee is updated as needed on cybersecurity threats, incidents, and programs, and the Compliance and Risk Committee is updated as needed on new developments in our cybersecurity risk profile. After each such meeting, the respective chairs of the Audit Committee and Compliance and Risk Committee provide a report to the full Board on the committee meeting. Senior leadership, including our CDIO and CISO, routinely update and report to the Board, the Audit Committee, and the Compliance and Risk Committee, as applicable, on our cybersecurity and information security risks and the management of such risks, our data governance and usage, our technology infrastructure, our training and compliance efforts, and implications for our business strategy. In addition to the information provided in these meetings, members of our Board have access to continuing education, which includes topics relating to cybersecurity risks.

Company Information