Bausch Health Companies Inc. 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 20, 2025

Bausch Health Companies Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 19:32:11 EST.

Filings

10-K filed on 2025-02-19

Bausch Health Companies Inc. filed a 10-K at 2025-02-19 19:32:11 EST
Accession Number: 0000885590-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established a formal set of policies and procedures to identify, assess, manage and report on material risks derived from cybersecurity threats and vulnerabilities, codified in the Bausch Health Cybersecurity Program (the “Program”). The purpose of the Program is to deploy a comprehensive framework designed to reasonably protect our information assets, systems, and networks from potential threats; and enable a prompt response to cybersecurity events and, if necessary, recovery from cyber-attacks using a combination of risk management and cybersecurity frameworks. The Program is based on the National Institute of Standards and Technology Cybersecurity Framework (“CSF”) version 2.0. The CSF offers a framework for cybersecurity management, including program governance, asset and risk identification, systems protection, threat detection, and incident response and recovery. In particular, our cybersecurity strategy, as set forth in the Program, uses the CSF to address security safeguards across six dimensions of information security (Govern, Identification, Protection, Detection, Response, and Recovery). The Program guides the execution of our cybersecurity responsibilities for our digital infrastructure, including network security, endpoint security, data protection, incident response, awareness and training, compliance, and risk management. The policies and procedures established pursuant to the Program include: - Govern - Identify cybersecurity priorities and related outcomes as a component of the Company’s strategic planning processes. - Identification - Identify and manage cybersecurity risk to systems, assets, data, people, and capabilities using measures such as asset management and assessment of suppliers and third-party partners , including using audits and testing. - Protection - I mplementation of safeguards designed to ensure delivery of critical infrastructure services, including identity management and access control, security training, and use of protective technologies. - Detection - Detection of the occurrence of a nomalies and cybersecurity events through logging, monitoring and communicating to appropriate personnel. - Response - Establishing appropriate responses when cybersecurity events are detected, including response planning and leveraging communications channels. - Recovery - R estore any capabilities or services that were impaired as a result of a cybersecurity incident, by executing documented recovery plans. Pursuant to the Program, the Bausch Health Information Technology Security Department develops specific cybersecurity policies, procedures and guidelines. Key cybersecurity risk drivers, mitigation strategies, and key updates are incorporated as part of our ongoing Enterprise Risk Management processes. Our executive management team is responsible and accountable for the Program, cybersecurity risks generally, and ensuring that appropriate resources are allocated to addressing such risks, with Board-level oversight from the Audit and Risk Committee of the Board of Directors. We review and seek to improve the Program through assessments from external, independent third parties , who review documentation, conduct interviews with key stakeholders, assess security roadmap progression and maturity against industry benchmarks, report on our internal incident response preparedness and help identify areas for continued focus. We also have insurance coverage for potential losses arising from a cybersecurity incident and to provide professional services that mitigate potential business impacts during cybersecurity incidents. Impact of cybersecurity risks on business strategy, results of operations or financial condition While as of the date of this Form 10-K, there have been no cybersecurity incidents that have materially affected, or are likely to materially affect the Company’s business strategy, results of operations or financial condition, we have experienced cybersecurity incidents from time to time, and any future incidents have the potential to have a material adverse effect on our business strategy, results of operations and/or financial condition. Please refer to “Risk Factors- Risks Relating to Information Technology-We have become increasingly dependent on information technology systems and infrastructure and any breakdown, interruption, breach or other compromise of our or our third-party service providers’ information technology systems could compromise sensitive information related to our business or prevent us from accessing critical information and subject us to liability or interrupt the operation of our business, which could have a material adverse effect on our business, financial condition, cash flows and results of operations and could cause the market value of our common shares and/or debt securities to decline.” under Item 1A. of this Form 10-K for additional description of cybersecurity risks and potential related impacts on our Company. 55 Governance The Audit and Risk Committee of the Board, comprised fully of independent directors, is responsible for assisting the Board in oversight of risk, including cybersecurity risks. As part of that responsibility, the Audit and Risk Committee regularly reviews our enterprise risk assessment results, including the results of any cybersecurity risk assessments or audits, reports of investigations into any significant cybersecurity risks, and assessments of our insurance coverage for significant operational risks, including cybersecurity. In addition, we have established a Global Cybersecurity Disclosure Committee, a senior-level, cross-functional governance committee comprised of representatives from our Information Technology, Compliance, Finance, and Legal departments, which is engaged during certain cybersecurity incidents to determine further response, escalation and reporting needs. The Global Cybersecurity Disclosure Committee meets quarterly to review information technology risk metrics and as needed in the event of a potentially material security incident, including at the discretion of Vice President of Information Security. The Global Cybersecurity Disclosure Committee is responsible for oversight of the implementation of appropriate remediation for security incidents where required, as well as determining whether to discuss any information security incidents with the Audit and Risk Committee of the Board of Directors and if external reporting is required under relevant laws, regulations or SEC rules . Members of our Global Cybersecurity Disclosure Committee have work experience managing cybersecurity and information security risks, an understanding of the cybersecurity threat landscape and/or knowledge of emerging cybersecurity and data privacy risks.

Company Information