INSULET CORP 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 21, 2025

INSULET CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 17:36:54 EST.

Filings

10-K filed on 2025-02-20

INSULET CORP filed a 10-K at 2025-02-20 17:36:54 EST
Accession Number: 0001145197-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We manage cyber risk on a daily basis, as we face a multitude of threats ranging from ransomware, phishing attacks, business email compromise, and a wide array of other cyber-criminal tactics aimed at impacting our operations and compromising our sensitive information. Our customers, suppliers, subcontractors, and partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. Accordingly, we have invested in resources (people, processes, and technology) aimed at identifying, assessing, and responding to cyber threats. Our Board of Directors (“Board”) oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure to our strategic objectives. While the Board reviews the Company’s cybersecurity program annually, the Nominating, Governance, and Risk Committee (“NGR Committee”) of the Board has primary responsibility for cybersecurity as part of its risk oversight mandate. The NGR Committee is updated on cybersecurity matters from our Chief Information Security Officer (“CISO”) and members of the CISO’s team at least twice annually. The CISO discusses management’s actions to identify and detect threats and reviews the structure of and enhancements to the Company’s defenses as well as management’s progress on its cybersecurity strategic roadmap. The NGR Committee Chair reports to the full Board after each Committee meeting, including information relating to the cybersecurity discussions. Our Cybersecurity organization, which includes infrastructure security, product security, technology risk management, and security awareness and culture is led by our CISO. Our CISO, reports directly to our Chief Technology Officer (“CTO”) and is responsible for developing and implementing our cybersecurity program, including setting the directional security strategy and continuous improvement plans for the overall security program. Our CISO has over a decade of experience leading cyber-security and technology risk management programs in both healthcare and medical device manufacturing organizations and maintains multiple industry certifications, including Certified Information Systems Security Professional and Certified Information Security Manager. The CTO ensures cyber-security measures are prioritized across research and development, software engineering, and our information technology functions. The CTO supports the CISO in chairing a quarterly Technology Risk Committee aimed at providing proper oversight and governance of the cybersecurity program, remediation of identified technology risks, and execution of the cybersecurity strategy. Our processes for assessing, identifying, and managing cybersecurity-related risks is also included within our overall enterprise risk management (ERM) program. We leverage the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to better manage and respond to cybersecurity risks in protecting our infrastructure and sensitive data. We have mapped and base-lined our people, processes, and technology in alignment with the categories defined in the NIST industry standard framework: Identify, Protect, Detect, Respond, and Recover. Additionally, Insulet’s information security management system is ISO 27001 and 27701 certified. For the seventh consecutive year, Insulet received re-certification from the ISO, which is the recognized standard for information security management and privacy best practices that adheres to the highest international data security standards. In 2024, we also added ISO certifications specific to Cloud Computing and Health Informatics, which pairs with and supports other applicable medical device and international certification requirements. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection, and mitigation . We maintain a cybersecurity risk register, and cybersecurity team leaders hold monthly meetings to discuss and prioritize risks as well as the status of any remediation activity. Key facets of our cybersecurity program include: - 24/7 cyber monitoring. Our security operations center is located in multiple time zones to ensure around-the-clock coverage and timely threat detection and response. - External Threat Landscape Assessment. Our integrated privacy, legal, and security teams are continuously monitoring for any external threat that may impact our operations. Third-party threat intelligence feeds are leveraged to monitor Insulet’s digital footprint and activity that may cause brand damage. - Insider Risk Detection. We have targeted tools aimed at detecting insider threats and suspicious data movement. - Cloud and Vulnerability Management. To enhance cloud and data security, we reduce the attack surface by establishing secure defaults, implementing least privilege, and monitoring configurations continuously. As part of vulnerability and overall security posture management, we have a focused cross-functional team that meets regularly to address issues identified by security scans and security configuration checks to maintain hygiene of Insulet’s computing devices. - Testing and Audits. Regular penetration testing, incident response tabletop testing, and audits are performed by trusted third-party security consultants. These final reports and gap analysis documents are logged into our risk register as appropriate. - Operating Technology (“OT”) Visibility. As a manufacturer of medical devices, OT is a vital component of our business operations. Interconnectedness between OT technology and other business critical information technology infrastructure can create a material cyber risk. Insult deploys segmentation and OT-specific monitoring capabilities to mitigate and monitor this risk. - Vendor Management. Vendors and key partners are subject to Insulet’s Vendor Risk assessment process and subsequently monitored by our threat intelligence capability, which tracks our key vendors and suppliers. - Training and Culture . Training, awareness, and incorporating security into Insulet’s culture is key to reducing risk around common threats such as phishing. We have an operational information security training program for all employees. In addition to annual trainings, we require and monitor completion of frequent “nanolearning” targeted trainings. These quick trainings provide constant reminders to our employees to be vigilant and give them the tools to recognize and protect against cyber threats. We also conduct phishing simulations to test effectiveness of our training program with the aim of reducing the percentage of employees who click on suspicious emails. We are intensely focused on protecting the security of our products; our guiding principle of “security and privacy by design” underlies all of our product development. We have a cybersecurity team embedded with our research and development group to deliver on this mission as well as a Product Cybersecurity Risk Management Policy that aligns with FDA guidance. Omnipod 5 incorporates cybersecurity by design principles, which includes secure data transfer between the Pod, Controller, cloud storage, and compatible CGMs. Our Secure Software Development Lifecycle enforces application testing and continuous monitoring to identify security risks. Omnipod 5 is certified by ISO (27001, 27017 and 27799) and the U.K. Cyber Essentials. Omnipod 5 incorporates authentication, encryption, and cybersecurity protection to ensure only trusted devices and authorized people can access the system. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. Should a cyber incident occur, we have in place the Insulet Cybersecurity Incident Response Procedure (“CIRP”) and Crisis Management Plan, which are designed to enable us to respond efficiently to any incidents. Pursuant to the CIRP, cybersecurity incidents are reviewed and rated by our CISO and his team. A cybersecurity incident rated at predefined risk levels will be escalated to CTO, the Chief Compliance Officer, and the General Counsel and assessed for materiality and disclosure to the CEO and the Board. Our internal Disclosure Committee will review any planned public disclosures or filings. CIRP provides the organizational and operational structure to respond to incidents that may affect the confidentiality, integrity or availability of our information systems. We currently do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected the Company’s business strategy, results of operations, or financial condition. While Insulet maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity and other risks which may impact Insulet.

Company Information