BAXTER INTERNATIONAL INC 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

BAXTER INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 17:15:03 EST.

Filings

10-K filed on 2025-02-21

BAXTER INTERNATIONAL INC filed a 10-K at 2025-02-21 17:15:03 EST
Accession Number: 0001628280-25-007201

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We assess, identify and manage risks from cybersecurity threats through our Global Cybersecurity and Compliance Program (Cybersecurity Program). Cybersecurity risks identified in the Cybersecurity Program are integrated into our Enterprise Risk Management Program. In addition, the Cybersecurity Program seeks to incorporate consideration of cybersecurity risk into our product development, business strategy, financial planning and capital allocation decisions. The Cybersecurity Program is currently overseen by the Board of Directors (Board) and is managed by a dedicated Chief Information Security Officer (CISO) , who in turn reports to the Chief Information Officer (CIO), who currently reports to the CEO. The CISO’s organization has oversight responsibilities for cybersecurity strategy, policy, standards, architecture and processes for the security of our corporate and manufacturing enterprise network, information assets and medical device technologies. Our current CISO has over 20 years of experience in cybersecurity and risk and technology management, and has held numerous positions in the cybersecurity sector, including serving as Global Cyber Risk Officer at another Fortune 500 medical products and equipment company and CISO at other healthcare companies and health care delivery organizations. Our current CIO has over 30 years of experience in information technology and has served in a number of professional services leadership roles, including as CIO over the past 15 years at three companies. The CISO’s organization monitors and manages, and works to identify and assess, cybersecurity risk through various technologies, resources, processes and policies that are updated as necessary to align with the changing threat landscape, our evolving business needs as well as global regulatory requirements. In addition, from time to time, we also utilize external auditors and assessors to help evaluate our Cybersecurity Program, including conducting penetration testing and vulnerability, risk and maturity assessments. We also actively engage with industry experts, regulatory agencies, advocacy groups, industry peers, intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our Cybersecurity Program and to stay abreast of the emerging cybersecurity landscape. We use a range of defenses to help protect against cybersecurity threats and to work to secure our assets, reduce the time it takes to detect a cybersecurity threat and improve our recoverability capabilities. These defenses include 30 the ongoing monitoring of our systems (including with the assistance of third-party vendors), conducting response and recovery exercises with employees and senior management (including our executive officers) to promote awareness of related matters and improve internal processes, and engaging with external cybersecurity rating agencies that assess our cyber risk. In addition, to help promote privacy and security awareness throughout the company, the CISO maintains a Cyber Awareness and Engagement Program. As part of this program, all employees with a Baxter email address receive annual training on the recognition and prevention of cybersecurity threats as well as training on how to report suspicious activity or potential breaches through the appropriate channels. Our Cyber Awareness team communicates cybersecurity best practices to our employees through internal communications, including the company intranet, newsletters and global virtual seminars, and also hosts ongoing cybersecurity awareness campaigns, including phishing simulations. Further, our Third-Party Risk Management Program utilizes a managed service that uses a standard framework to help identify, assess and monitor potential cybersecurity risks posed by third parties. Third-party cybersecurity risks (including reputational ones) are assessed by evaluating the third party’s security practices (including those associated with data protection), compliance with applicable regulations and planning associated with business continuity and incident detection and response. The Cybersecurity Program maintains a cybersecurity governance and oversight framework that seeks to drive accountability for all levels of employees, including senior management and executive officers. Cybersecurity matters are generally managed by a combination of working groups that report to the cybersecurity compliance committee and ultimately the cybersecurity executive oversight committee, as appropriate. Our cross functional cybersecurity compliance committee, which is led by the CISO, is composed of members of senior management, including the CIO, and reviews matters such as cybersecurity escalations, critical remediations and disclosure recommendations. The output from the cybersecurity compliance committee meetings is discussed at meetings of Baxter’s cybersecurity executive oversight committee, which is led by the CISO and includes the CIO and other members of management. In February 2024, we amended the charters of the Audit Committee and Quality and Regulatory Compliance (QRC) Committee of our Board to provide for the realignment of oversight over the company’s innovation strategy and cybersecurity to the full Board, as these responsibilities now sit within the vertically integrated segments and are part of the business strategies themselves. The Board oversees information technology functions generally, including product related cybersecurity matters (which had previously been subject to the oversight of the QRC Committee). The Audit Committee is responsible for the oversight of certain significant cybersecurity incidents, including ones related to our products and services and receives related updates from management on those incidents . Consistent with this oversight responsibility, the Audit Committee is responsible for reviewing proposed disclosures in connection with any material cybersecurity incident consistent with our disclosure obligations under Item 1.05 of Form 8-K. The full Board receives periodic updates on information technology and cybersecurity matters from company management (including the CIO and CISO) and external advisors from time to time and the Audit Committee receives periodic updates (including as part of continuing director education) on the evolving cybersecurity landscape and regulatory reporting requirements. The CISO maintains and annually updates a Cybersecurity Incident Response Plan which is a guide for our Cyber Security Incident Response Team and business to respond to cybersecurity incidents in a coordinated manner. Additionally, the CISO, in partnership with a third-party consultant, facilitates periodic cyber-crisis tabletop exercises with members of senior management (including our executive officers) to help us prepare for the occurrence of a significant cybersecurity event and our related response activities. Cybersecurity risks and threats, including any previous cybersecurity incidents, have not materially impacted us or our operations to date . However, we cannot provide any assurance that we will not be subject to a material cybersecurity incident in the future. See “Risks Relating to Our Operations-Breaches and breakdowns affecting our information technology systems or protected information, including from cyber security breaches and data leakage, could have a material adverse effect on our business, results of operations, financial condition, cash flows, reputation and competitive position” in Item 1A. Risk Factors of this Annual Report on Form 10-K for a discussion of cybersecurity-related risks. 31

Company Information