BECTON DICKINSON & CO 10-K Cybersecurity GRC - 2024-11-27

Page last updated on November 28, 2024

BECTON DICKINSON & CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-27 13:36:08 EST.

Filings

10-K filed on 2024-11-27

BECTON DICKINSON & CO filed a 10-K at 2024-11-27 13:36:08 EST
Accession Number: 0000010795-24-000084

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy BD’s cybersecurity risk management program is focused on maintaining the confidentiality, integrity and availability of BD products, manufacturing and distribution operational technology (“OT”), enterprise IT and BD data. We incorporate cybersecurity risk management into our systems and processes, which we strive to align with multiple industry-leading cybersecurity standards, including the Joint Security Plan issued by the Health Sector Coordinating Council for BD products and guidelines issued by the National Institute of Standards and Technology (NIST) for our manufacturing and distribution OT and enterprise IT. Our commitment to cybersecurity includes a total life cycle approach to protecting BD products, manufacturing and distribution OT, enterprise IT and BD data. Using various tools and techniques, we proactively monitor for suspicious activity and perform risk assessments (including independent third-party risk assessments), penetration testing and vulnerability scanning to identify potential threats and vulnerabilities. We also collaborate with government and industry leaders to gather and share cybersecurity threat intelligence. We provide mandatory annual cybersecurity awareness training for our 70,000+ associates, and we send phishing simulation emails monthly to all associates who use a BD email address and an assigned computing device. We also use tools to monitor unintentional sharing of personal, confidential and proprietary information. Our cybersecurity risk management program includes a documented incident response and critical incident management plan to identify, assess and manage the potential impact of cybersecurity threats or vulnerabilities and prioritize risk mitigation and/or remediation measures to safeguard BD products, manufacturing and distribution OT, enterprise IT and BD data. We strive to align BD Information Security policies and procedures with industry best practices, including the NIST Cybersecurity Framework, International Organization for Standardization (“ISO”)/International Electrotechnical Commission (IEC) 27001:2022 standards for information security, Underwriters Laboratories (“UL”) 2900-1 Cybersecurity Standard for Medical Devices, and U.S. Food and Drug Administration’s pre-market and post-market guidance for cybersecurity in medical devices. In 2022, BD achieved ISO/IEC 27001:2022 certification at the enterprise level, demonstrating that BD’s Information Security Management System (ISMS) conforms to internationally recognized cybersecurity standards. In July 2024, BD engaged a third-party auditor to complete its second enterprise-level annual surveillance audit for ISO 27001, which determined that BD continues to meet these rigorous standards. These policies and procedures establish processes for handling data, assets, systems and other technology resources to help protect BD products, manufacturing and distribution OT, enterprise IT and BD data. We also incorporate cybersecurity risk management into our Enterprise Risk Management (“ERM”) program. Through our ERM program, we identify, assess and manage a broad range of risks across our businesses, regions and functions, and we align our risk management efforts with our corporate strategy. Our enterprise IT, manufacturing and distribution OT, third-party and product cybersecurity risks are each assessed as part of our ERM program. As part of our cybersecurity risk management program, we engage a range of third-party experts each year, including advisors, consultants and auditors, to evaluate and enhance our program through security attestations and certifications, maturity assessments and security testing. We also engage third parties for staff augmentation to strengthen our cybersecurity program through additional dedicated resources. In addition, we actively engage with intelligence agencies, law enforcement, and advocacy and industry groups. We also identify, assess and manage risks associated with our use of third-party service providers and maintain a third-party risk management program that monitors third-party cybersecurity risk throughout the procurement lifecycle-from planning and sourcing through relationship conclusion. This program includes supplier cybersecurity vetting at the time of engagement, cybersecurity risk assessments and cybersecurity vulnerability monitoring. Our third-party risk management program is aligned with NIST and ISO/IEC frameworks and is focused on continuous improvement through intelligence sharing with industry groups. There can be no assurance that such measures will be sufficient to prevent, mitigate or remediate cybersecurity incidents or breaches. Although we have experienced cyberattacks as discussed in “Item 1A, Risk Factors” above, based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect BD. Despite our efforts in implementing and maintaining our cybersecurity risk management program, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident or breach in the future that may materially affect us. For further discussion of how our business, results of operations, and financial condition could be materially adversely affected by risks from cybersecurity threats, see “Item 1A, Risk Factors.” Governance The Board and its committees provide oversight of our ERM program, including our cybersecurity risk management program and the protection and resilience of BD products, manufacturing and distribution OT, enterprise IT and BD data. In addition, our management periodically conducts cybersecurity crisis simulations with the full Board to raise awareness of cybersecurity risks and enhance our incident preparedness. We also provide Board members the opportunity to take a cybersecurity training course through an external service provider. The Board delegates oversight of our cybersecurity risk management program to the Audit Committee and the Quality and Regulatory Committee (QRC). The Audit Committee regularly reviews our cybersecurity risk management program with respect to manufacturing and distribution OT and enterprise IT, and the QRC reviews our product cybersecurity program. Our cybersecurity risk management program is led by our Chief Information Security Officer (“CISO”), whose organization is responsible for identifying, assessing and managing risks from cybersecurity threats. Our CISO has over 20 years of experience leading information security, data risk management, application/system development and engineering teams at multiple large, global and publicly traded companies-including several Fortune 500 companies. Our CISO holds Certified Information Systems Security Professional (“CISSP”), Certified Information Security Manager (“CISM”), Certified Information Privacy Professional (“CIPP”) and Security+ certifications and contributes to healthcare industry working groups, most recently serving as chair of the Health Information Sharing and Analysis Center (the “HISAC”) Information Security Risk Management Working Group. Our CISO reports to our Chief Information Officer (CIO), who has overall responsibility for the cybersecurity risk management program and organization. Our CIO has more than 25 years of experience in information technology, business transformation, cybersecurity and technology solutions, including leadership roles at multiple large, global and publicly traded companies-including several Fortune 500 companies. Our Vice President, Research and Development, Product Security (“VP of Product Security”) also supports our cybersecurity risk management program by leading a team of product security professionals focused on implementing security by design, security in use and product end of life strategies across our portfolio of software-based products. Our VP of Product Security has more than 15 years of experience in the medical device industry, including at another publicly traded company managing product security. Our VP of Product Security has received training from the SANS Institute and contributes to healthcare industry groups such as the Health Sector Coordinating Counsel - Joint Cybersecurity Working Group. Our CISO is supported by and is a member of our Cybersecurity Strategy and Risk Committee (“CSRC”), which is a management-level governance body for oversight of all of our cybersecurity risk. Our VP of Product Security is also a member of the CSRC. On a quarterly basis, our CSRC receives information from our CISO regarding BD’s enterprise IT, manufacturing and distribution OT and product security programs, including the Company’s strategy and progress on key initiatives. We also have an executive-level Enterprise Risk Committee (ERC) that oversees our ERM program and aims to create an enterprise-wide culture that promotes open discussion regarding risk and opportunities and integrates effective risk management into our goals and objectives. As part of integrating cybersecurity risk management into our ERM program, our ERC receives updates from our CIO and CISO on BD’s cybersecurity risk management strategy and program on a regular basis. In addition to our CSRC and our ERC, we have established processes providing for the escalation of certain cybersecurity incidents and breaches. We maintain a global response plan that sets forth a detailed incident management and reporting protocol designed to respond to cybersecurity incidents and breaches appropriately and efficiently. Our operational team is responsible for communicating the impact and status of certain cybersecurity incidents and breaches to senior management, including the CISO, based on its assessment of the significance of the cybersecurity incident or breach. We also have a committee consisting of senior members of our management, including our CIO and CISO, to evaluate cybersecurity incidents and breaches reported to the committee by our CISO on an ad-hoc basis for potential material impacts on BD, including its financial condition and results of operations, and assess BD’s public disclosure obligations. The CIO, CISO and other members of the committees are informed about the status, effectiveness and risks associated with our cybersecurity risk management program through their management of and participation in the cybersecurity risk management processes, policies and operations described above. Our CIO and CISO provide updates to the Audit Committee, and our VP of Product Security provides updates to the QRC, multiple times per year regarding BD’s cybersecurity risk management program, including the results of third-party assessments, progress towards cybersecurity goals and objectives, product cybersecurity matters, third-party risk management, regulatory compliance and other topics as needed. We also have processes by which certain cybersecurity incidents and breaches are escalated and reported to the Board of Directors or a Board committee, as appropriate, based on our management’s assessment of risk.

Company Information