Embecta Corp. 10-K Cybersecurity GRC - 2024-12-11

Page last updated on December 11, 2024

Embecta Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-11 16:52:35 EST.

Filings

10-K filed on 2024-12-11

Embecta Corp. filed a 10-K at 2024-12-11 16:52:35 EST
Accession Number: 0001872789-24-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We rely on industry-standard software applications, IT systems, computing infrastructure, and cloud service providers (collectively referred to as “Information Systems”) to perform essential operations. Many of these systems are managed, hosted, provided, or utilized by third parties, including BD, to support our business activities. We have implemented administrative, physical, and technical safeguards and processes to assess, identify, and manage material risks from known cybersecurity threats to our Information Systems and operations. However, our Information Systems could be disrupted, degraded, destroyed, or manipulated intentionally or accidentally by our employees, third parties with authorized access, or cyber threat actors, which could negatively and adversely impact key business processes. The size and complexity of our Information Systems, as well as those of our third-party providers, make them potentially vulnerable to such service interruptions. Additionally, we and our third-party providers have experienced and expect to continue experiencing phishing attempts, network scanning attempts, and other unauthorized access attempts to our computers, Information Systems, networks, and devices. These increasingly sophisticated attacks are carried out by groups and individuals with various motives and expertise, including state and quasi-state actors, criminal groups, hackers, and others. Such attacks could result in the loss of confidentiality, integrity, and/or availability of our data and Information Systems. Security risks to both the Company and its customers data and information are continuously evaluated and monitored. We actively monitor security 24 hours a day and seven days a week through our global Security Operations Center. We have implemented a multi-layered defense-in-depth approach using technologies that meet or exceed industry standards. Additionally, we expect our vendors to adhere to our data privacy and security standards and we evaluate their ability to comply as part of our vendor assessment process. This includes assessing internal and external threats to the security, confidentiality, integrity, and availability of Embecta and third party provider data and systems, as well as other risks to our operations. Embecta utilizes the ISO 27001 framework, which incorporates the National Institute of Standards and Technology and Center for Internet Security frameworks, and various risk management frameworks to proactively evaluate its cybersecurity controls, risks, and overall program effectiveness. As part of our risk management process, we engage external providers to conduct periodic internal and external penetration testing and security assessments. Additionally, under our third-party risk management program, we assess vendor cybersecurity risks, including those associated with our cloud vendors and other third-parties. We maintain security and privacy policies and procedures that align with industry-standard control frameworks and comply with applicable regulatory requirements, laws, and standards. Enterprise cybersecurity policies undergo an annual review and approval by our Information Security Risk Committee (“ISRC”). Embecta has established a Cyber Security Incident Response Team, a cross-functional team composed of representatives from our Information Technology, Information Security, Product Security, Privacy, Legal, and Human Resources groups. This team is responsible for the response to security threats by implementing our detailed incident response plan. Our incident response plan includes processes, procedures, and playbooks for assessing potential internal and external threats, developing remediation plans, and facilitating post-incident recovery; all designed to safeguard the confidentiality, integrity and availability of both Company and customer data. Governance 30 Cybersecurity risk management is integrated into our broader Enterprise Risk Management (“ERM”) framework to promote a Company-wide culture of awareness and proactive risk management. Our ERM framework is overseen by the Audit Committee and Board of Directors. Our Chief Information Officer (“CIO”) and Vice President of IT Infrastructure and Security (“VP IT”) are responsible for updating the Audit Committee and Board of Directors on Embecta’s cyber risk. The CIO and VP IT have oversight of cybersecurity strategy, policy, standards, architecture, and processes that protect Embecta’s enterprise network, Information Systems and information assets, and product technologies. The ISRC oversees our cybersecurity governance and manages various controls, ensuring accountability at all levels of the organization, including senior management and the executive leadership team. The ISRC meets quarterly, oversees enterprise and cybersecurity risk management and reports to the ERM team and the Audit Committee. These committees receive updates on cybersecurity-related topics throughout the year including any major cybersecurity incidents. Additionally, the Board of Directors receives periodic updates on information security and cybersecurity matters from our CIO and VP IT. Our information security organization is led by our VP IT, who has over fifteen years of relevant experience, serving in various IT leadership roles within the medical device and medical technology industry. The VP IT is responsible for all aspects of our cybersecurity program, including cybersecurity engineering and architecture, cybersecurity operations, monitoring, incident response, threat intelligence, identity and access management, cybersecurity risk and compliance, and vulnerability management. Our VP IT reports to our CIO, who has over twenty years of experience in information technology and process leadership, including leading teams with global cybersecurity responsibilities. Our CIO reports to the Chief Financial Officer.

Company Information