BOSTON SCIENTIFIC CORP 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

BOSTON SCIENTIFIC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 16:13:39 EST.

Filings

10-K filed on 2025-02-18

BOSTON SCIENTIFIC CORP filed a 10-K at 2025-02-18 16:13:39 EST
Accession Number: 0000885725-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We rely on information technology (IT) and operational technology (OT) systems, including technology from third party vendors, to manufacture and ship our products, as well as to process, transmit and store electronic information in our day-to-day operations. We have established an enterprise cybersecurity program , which is administered by a cross-functional team of cybersecurity professionals that includes employees and third party contractors and vendors, that utilizes various tools, methodologies and processes to assess, identify and manage cybersecurity risks related to our IT and OT systems, as well as our products. Our cybersecurity program is designed to monitor and continually enhance our enterprise security posture, with the goal of preventing cybersecurity incidents to the extent feasible, including assessments to better understand our readiness for cybersecurity threats and the resilience of our critical business functions, with the goal of avoiding or reducing the impact if such an event were to occur. We have implemented cybersecurity policies mapped to industry and government standards and frameworks, such as U.S. National Institute of Standards and Technology (NIST) and International Standard of Organization, and our strategy is aligned to the NIST CyberSecurity Framework that provides us a structured approach to managing our cybersecurity risk through its five core functions. We regularly review our cybersecurity policies and require annual cybersecurity training for our employees. We also periodically conduct simulation exercises involving employees at various levels of the organization, as well as our Board of Directors, to prepare for cybersecurity incidents and response planning. Our product cybersecurity focus begins with our design protocols and is supported by quality testing, provider education, and packaging and distribution standards. We use penetration testing to simulate cyberattacks and better understand our exploitable weaknesses, and we monitor threat intelligence feeds, including avenues for product users to report vulnerabilities directly to us, and use scanning tools to detect and assess vulnerabilities that could affect our products. In addition, we conduct product, enterprise and vendor/third party risk assessments, vulnerability assessments and analyses to gain insights into potential vulnerabilities and their impact on critical functions, and leverage their outcomes to prioritize our security investments and balance our resource allocation. We use third party security providers for specialized areas such as incident response, penetration testing, and on-demand cybersecurity services, including staff augmentation and consulting. We also leverage a managed security service provider to augment our cybersecurity organization and to provide additional monitoring and response capabilities. We engage and rely upon third parties to provide services and/or goods, represent and/or otherwise act on our behalf. Prior to engaging or conducting any business with or on our behalf, such parties undergo a due diligence review, and a third party security risk assessment is conducted to validate they are legally permitted and qualified to maintain appropriate safeguards to protect our information assets in connection with the services they intend to provide. We perform supplemental reviews as necessary commensurate with the risk associated with each third party, for example, if or when a third party is affected by an incident, that directly or indirectly impacts our company we undertake a full assessment and implement additional controls commensurate to the risk. Furthermore, to minimize risks and vulnerabilities to our systems, our cybersecurity team continuously monitors and addresses cybersecurity threats and incidents at third-party service providers. Assessing, identifying, and managing cybersecurity related risks are also integrated into our enterprise risk management (ERM) program. Cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the Company on an annual basis. Risks are discussed with appropriate members of management, who manage risk coverage, monitoring and reporting in the relevant risk function, including our cybersecurity program, and incorporate those activities as part of developing our strategic plan. The ERM program’s annual risk assessment is presented annually to our Board of Directors. Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. For additional information, see Item 1A. “Risk Factors” for a discussion of cybersecurity risks that we face. 32 Governance Our global cybersecurity organization is led by our chief information security officer (CISO) , who reports directly to our chief information officer (CIO) and under the organization of our chief information and digital officer (CIDO). Our current CISO has over 19 years of extensive information technology experience, including in security architecture, software development and engineering, as well as leading security operations and incident response, offensive and defensive cyber projects in increasing roles of responsibility. He also previously held Certified Information Systems Security Professional (CISSP) and GIAC Certified Forensics Analyst certifications. Our current CIDO has extensive experience overseeing information technology and security programs, including roles of increasing leadership within our Information and Digital organizations over the last ten years, and prior to that in increasing roles of responsibility managing information systems, including over 18 years at General Electric. Our current CIDO holds CISSP and other IT certifications. Our Board of Directors oversees an enterprise-wide approach to risk management, including cybersecurity risks. While the Board has the ultimate responsibility for risk oversight, each committee of the Board also oversees risk to the extent it relates to the committee’s responsibilities and provides reports to the Board in its respective area of responsibility. The Risk Committee of our Board also focuses on an enterprise-wide approach to risk management, and has primary oversight responsibility for areas of quality and nonfinancial compliance issues, including cybersecurity risks. The Risk Committee receives periodic updates from the CISO and CIDO on our cybersecurity risks and threats, assessments of our cybersecurity program and the evolving threat landscape. Our Board of Directors also receives annual updates on such cybersecurity matters, or more frequently as appropriate under the procedures described below. Our Board of Directors also receive cybersecurity risk assessments as part of the annual ERM program presentation described above. We have established controls and procedures to escalate enterprise level issues, including cybersecurity matters, to the appropriate management levels within our organization and our Board of Directors, or members or committees thereof, as appropriate. Under our framework, cybersecurity issues, including those involving vulnerabilities introduced by our IT, OT systems and use of third-party software, are analyzed by subject matter experts, including a crisis committee as needed in accordance with our incident response plans, for potential financial, operational, and reputational risks, based on, among other factors, the nature of the matter and breadth of impact. Matters determined to present potential material impacts to our financial results, operations, and/or reputation are immediately reported by management to the Board of Directors, or individual members or committees thereof, as appropriate, in accordance with our established escalation framework. In addition, we have established procedures to help ensure that members of management responsible for overseeing the effectiveness of disclosure controls are informed in a timely manner of known cybersecurity risks and incidents that may materially impact our operations and that timely public disclosure is made, as appropriate.

Company Information