Page last updated on February 25, 2025
Elanco Animal Health Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 09:12:37 EST.
Filings
10-K filed on 2025-02-25
Elanco Animal Health Inc filed a 10-K at 2025-02-25 09:12:37 EST
Accession Number: 0001739104-25-000014
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity for further discussion of our risk management, strategy and governance policies and procedures related to cybersecurity). We are increasingly dependent on our IT systems as many of our office workers who work partially or primarily remotely, rely on third-party applications to perform their job duties and are processing information through our network via their home networks, which may be less secure. As such, our ability to effectively manage our business depends on the security, reliability and adequacy of our technology systems and data and the ability of our employees to follow our cybersecurity policies and protocols. Any actual or perceived access, disclosure or other loss of information or any significant breakdown, intrusion, interruption, cyber-attack or corruption of customer, employee or company data, or our failure to comply with federal, state, local and foreign privacy laws or contractual obligations with customers, vendors, payment processors and other third parties, could result in legal claims or proceedings, liability under laws or contracts that protect the privacy of personal information, regulatory penalties, disruption of our operations and damage to our reputation, all of which could materially adversely affect our business, financial condition and results of operations. While we will continue to implement additional protective measures to reduce the risk of and detect cyber-incidents, cyber-attacks are becoming more sophisticated and frequent, and the techniques used in such attacks change rapidly. Our protective measures may not protect us against attacks, and such attacks could have a significant impact on our business and reputation. The costs imposed on us as a result of a cyber-attack or network disruption could be significant. Among others, such costs could include increased expenditures on cybersecurity measures, litigation, regulatory investigations, fines and sanctions, lost revenues from business interruption, damage to our reputation and public perception and significant remediation costs. As a result, a cyber-attack or network disruption could have a material adverse effect on our business, financial condition and results of operations. We are subject to complex EHS laws and regulations. We are subject to various federal, state, local and foreign EHS laws and regulations. These laws and regulations govern matters such as the emission and discharge of hazardous materials into the ground, air or water; the generation, use, storage, handling, treatment, packaging, transportation, exposure to and disposal of hazardous and biological materials, including recordkeeping, reporting and registration requirements; and the health and safety of our employees. Due to our operations, these laws and regulations also require us to obtain and comply with, permits, registrations or other authorizations issued by governmental authorities. These authorities can modify or revoke our permits, registrations or other authorizations and can enforce compliance through fines and injunctions. Given the nature of our business, we have incurred, are currently incurring and may in the future incur liabilities for the investigation and remediation of contaminated land under the U.S. Comprehensive Environmental Response, Compensation and Liability Act of 1980, as amended, or under other federal, state, local and foreign environmental cleanup laws, with respect to our current or former sites, adjacent or nearby third-party sites or offsite disposal locations. We could be subject to liability for the investigation and remediation of legacy environmental contamination caused by historical industrial activity at sites we own or on which we operate. The costs associated with future cleanup activities that we may be required to conduct or finance could be material. Additionally, we may become liable to third parties for damages, including for personal injury, property damage and natural resource damages, resulting from the disposal or release of hazardous materials into the environment. Such liability could materially adversely affect our business, financial condition and results of operations. Our failure to comply with the EHS laws and regulations to which we are subject, including any permits issued thereunder, may result in environmental remediation costs, loss of permits, fines, penalties or other adverse governmental or private actions, including regulatory or judicial orders enjoining or curtailing operations or requiring corrective measures, installation of pollution control equipment or remedial measures. We could also be held liable for any and all consequences arising out of human exposure to hazardous materials, environmental damage or significant EHS issues that might arise at a manufacturing or R&D facility. Environmental laws and regulations are complex, change frequently, have tended to become more stringent and stringently enforced over time and may be subject to new interpretation. It is possible that our costs of complying with current and future EHS laws, and our liabilities arising from past or future releases of, or exposure to, hazardous materials could materially adversely affect our business, financial condition and results of operations. We may be unable to achieve our goals and aspirations set forth in our ESG report(s), particularly with respect to the reduction of greenhouse gas (GHG) emissions, or otherwise meet the expectations of our stakeholders with respect to ESG matters. Regulatory agencies have shown concern over the impact of animal health products and farm animal operations on the environment. This regulatory scrutiny has in the past and may in the future necessitate that additional time and resources be spent to address these concerns in both new and existing products. Additionally, there has been a focus from our shareholders, as well as regulatory authorities both within the U.S. and internationally, on ESG practices and disclosures, including expanding mandatory and voluntary reporting of GHG emissions and other sustainability metrics, such as waste reduction, use of natural resources including energy, human capital and risk oversight. We have announced certain aspirations and goals related to ESG matters, such as our intention to reduce certain GHG emissions over time. Achievement of these aspirations, plans and goals is subject to numerous risks and uncertainties, many of which are outside of our control. It is possible we may be unsuccessful in the achievement of our ESG goals, on a timely basis or at all, or that the costs to achieve our goals become prohibitively expensive. Further, some jurisdictions have adopted laws and other regulations that may subject companies operating in those jurisdictions to legal liability for failing to meet published goals. At the same time, our stakeholders have evolving, varied and sometimes conflicting expectations regarding many aspects of our business, including our operations and ESG-related matters. If we fail or are perceived to fail, in any number of ESG matters, such as environmental stewardship, IDEA, good corporate governance, workplace conduct and support for local communities, or to effectively respond to changes in, or new, legal, regulatory or reporting requirements concerning climate change or other sustainability concerns, we may be subject to regulatory fines and penalties, and our reputation may suffer. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Our business relies on IT systems to process, transmit and store electronic information, including customer, employee and company data. The secure processing, maintenance and transmission of this information, including information housed both within an internal IT system or with a third-party and cloud-based environments, is critical to our operations. Each of the systems utilized in our business operations is subject to continually evolving cybersecurity risks and threats that present a risk to the continuity of our business operations, potential financial losses and damage to our reputation, including a loss of public trust. Risk Management, Strategy and Governance Given the importance of the integrity and security of the information and data utilized in our day-to-day operations, our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our overall enterprise risk management framework . We evaluate cybersecurity risks on an ongoing basis, and both our executive management and Board of Directors have an overall responsibility for assessing and managing risks from cybersecurity threats. We have established an information security team which is structured into three areas, that all report directly to our Chief Information Security Officer (CISO): 1) Governance, Risk and Compliance; 2) Architecture; and 3) Operations (Detect and Respond). Our information security team is responsible for the design and execution of our cybersecurity risk management and helps executive management and our Board of Directors stay informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity risks and incidents through various means, including but not limited to, briefings with internal security team members, threat intelligence obtained from public and private sources and alerts and reports produced by security tools deployed within our IT environment. Our current CISO, who reports directly to our Chief Information Officer (CIO), has over 17 years of experience in various roles involving information technology governance and compliance, including cybersecurity, engineering and enterprise architecture, while our CIO has over 25 years of IT and cybersecurity experience. Our information security team includes professionals with relevant industry, educational and cybersecurity experience. Governance, Risk and Compliance : Our approach to cybersecurity governance, risk and compliance is based on overarching guidelines, standards and best practices developed by the U.S. National Institute of Standards and Technology (NIST), a department of the U.S. Department of Commerce. Our information security governance oversees the process of coordinating the cybersecurity team(s) responsible for the mitigating of business risks posed by IT-related resources. Our governance framework of authority and accountability ensures prioritized initiatives have the required structure, sponsorship and funding to appropriately address the foreseen risks. Risk management includes an assessment of the risks posed to us by an IT solution, including cloud hosted and/or other third-party environments and systems. Our processes also address cybersecurity risks associated with our use of third-party service providers, including those in our supply chain or who have access to our client or employee data on our systems. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Our risk management process assesses both the probable frequency and probable magnitude of future loss based on a variety of potential risks and cyber events. The information security team also periodically engages third-party vendors to assist with our cyber threat detection and response actions, as well as to ensure our processes related to information security and defense against cybersecurity threats are appropriately designed and implemented to best prevent, detect and/or respond to a cyber threat or event. Architecture : Our information security architecture is focused on designing IT-related solutions that are foundationally secure. Our information security architecture assumes that internal and external threats always exist, and that all networks are inherently hostile. Accordingly, all connections accessing business assets must first be authenticated and authorized. Where viable, IT services are individually secured and monitored at the source, following the principle of least privilege. Operations (Detect and Respond) : In the event of a cybersecurity incident, the Elanco Information Security Incident Response Plan (ISIRP) defines the roles, responsibilities, procedures and reporting processes required to respond effectively to cybersecurity incidents. Responses to information security incidents are led by two teams: 1) the Security Operations Center (SOC) team, which conducts the initial technical triage and analysis, and 2) a cross-functional team of leaders from the IT, Legal, Human Resources and Finance functions (the Cyber Lead team), which is engaged by the CISO on an as needed basis, based on incident severity. The Cyber Lead team is tasked with confirming the severity of a cybersecurity incident and bringing together the proper resources to lead the corporate-wide response to such incidents, including engaging the Company’s Disclosure Committee, in the event an incident may rise to a level deemed material to us. In the event an incident is escalated by the Cyber Lead team, the Disclosure Committee, led by our Chief Financial Officer and General Counsel, would evaluate all estimable quantitative and qualitative factors, to determine if a Current Report on Form 8-K would be required under Item 1.05, “Material Cybersecurity Incidents.” For the year ended December 31, 2024, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For more information on potential risks related to cybersecurity threats and incidents, please see “Item 1A. Risk Factors - Breaches of our IT systems or improper disclosure of confidential company or personal data, or a failure to comply with privacy laws, regulations and our contractual obligations concerning data privacy or the security of certain information, could have a material adverse effect on our reputation and operations.” Management’s Responsibilities Management is responsible for executing the Cybersecurity Risk Management, Strategy and Governance policies outlined above. This is done, in part, by both establishing systems, processes and controls to minimize the risk of a high severity cybersecurity incident as much as possible, as well as ensuring there is a formal process designed to identify, investigate and appropriately respond to potential cybersecurity incidents. As noted, we have established our ISIRP as a response tool in the event of a cybersecurity incident. The ISIRP documents the actionable steps the SOC team, information security leadership and cross-functional stakeholders and partners take when a cybersecurity incident is identified. The ISIRP covers the preparation, detection and analysis, containment, eradication, recovery and post-incident activities required to effectively respond to an incident. Once a cybersecurity incident has been identified, the SOC team performs an initial investigation to determine if the incident is deemed high or low severity, based upon the business and operational impacts. Any incident deemed high severity would result in notification by the CISO to the Cyber Lead team to determine the appropriate actions to be taken. This determination would be made by the Cyber Lead team based on both qualitative and quantitative factors regarding the extent and magnitude of the incident. If the incident is then escalated to the Disclosure Committee and determined to be material, a disclosure via a Current Report on Form 8-K would be made within four business days of the incident being identified as such. Our Board of Directors would also be notified of any high severity incidents that are determined to be material, concurrently with the notification to the Disclosure Committee, and would be kept apprised of actions taken in response to such incidents. Our information security team is also responsible for cybersecurity awareness and education across the company, including our Board of Directors. Awareness empowers users, including our employees and contractors, to be mindful of cybersecurity in day-to-day situations. Our cybersecurity education practices help ensure specific users have the appropriate security skills and competencies to help prevent and/or detect and respond to a cyber threat. Formal training is delivered and measured throughout our organization on a routine, ongoing basis, and dedicated training is delivered to all new employees and contractors through our onboarding process. Targeted and company-wide communications, as well as simulated phishing campaigns and tabletop exercises are also routinely executed to promote ongoing awareness, preparation and education about cyber threats. Board of Directors’ Responsibilities Our Board of Directors actively oversees our cybersecurity management processes, including appropriate risk mitigation strategies, systems, processes and controls. Our CISO meets with the Audit Committee of the Board of Directors and separately with the full Board of Directors at least twice annually to discuss the status of policies and procedures related to information security. Discussions with the Audit Committee and the full Board of Directors focus on any notable incidents and incident responses, updates on known or perceived cyber threats and the information security team’s recent actions taken in response to such incidents and threats. In addition, our Board of Directors and the Audit Committee also receive updates from the CISO and/or our CIO on an ad-hoc or as-requested basis. Any incidents or changes to our process of identifying and responding to potential cybersecurity incidents would be included within these materials. According to our ISIRP, our Board of Directors would also be notified of any high severity incidents deemed material, simultaneously with the notification to the Disclosure Committee, and would be kept apprised of actions taken in response to such incidents.
ITEM 1C. CYBERSECURITY Our business relies on IT systems to process, transmit and store electronic information, including customer, employee and company data. The secure processing, maintenance and transmission of this information, including information housed both within an internal IT system or with a third-party and cloud-based environments, is critical to our operations. Each of the systems utilized in our business operations is subject to continually evolving cybersecurity risks and threats that present a risk to the continuity of our business operations, potential financial losses and damage to our reputation, including a loss of public trust. Risk Management, Strategy and Governance Given the importance of the integrity and security of the information and data utilized in our day-to-day operations, our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our overall enterprise risk management framework . We evaluate cybersecurity risks on an ongoing basis, and both our executive management and Board of Directors have an overall responsibility for assessing and managing risks from cybersecurity threats. We have established an information security team which is structured into three areas, that all report directly to our Chief Information Security Officer (CISO): 1) Governance, Risk and Compliance; 2) Architecture; and 3) Operations (Detect and Respond). Our information security team is responsible for the design and execution of our cybersecurity risk management and helps executive management and our Board of Directors stay informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity risks and incidents through various means, including but not limited to, briefings with internal security team members, threat intelligence obtained from public and private sources and alerts and reports produced by security tools deployed within our IT environment. Our current CISO, who reports directly to our Chief Information Officer (CIO), has over 17 years of experience in various roles involving information technology governance and compliance, including cybersecurity, engineering and enterprise architecture, while our CIO has over 25 years of IT and cybersecurity experience. Our information security team includes professionals with relevant industry, educational and cybersecurity experience. Governance, Risk and Compliance : Our approach to cybersecurity governance, risk and compliance is based on overarching guidelines, standards and best practices developed by the U.S. National Institute of Standards and Technology (NIST), a department of the U.S. Department of Commerce. Our information security governance oversees the process of coordinating the cybersecurity team(s) responsible for the mitigating of business risks posed by IT-related resources. Our governance framework of authority and accountability ensures prioritized initiatives have the required structure, sponsorship and funding to appropriately address the foreseen risks. Risk management includes an assessment of the risks posed to us by an IT solution, including cloud hosted and/or other third-party environments and systems. Our processes also address cybersecurity risks associated with our use of third-party service providers, including those in our supply chain or who have access to our client or employee data on our systems. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Our risk management process assesses both the probable frequency and probable magnitude of future loss based on a variety of potential risks and cyber events. The information security team also periodically engages third-party vendors to assist with our cyber threat detection and response actions, as well as to ensure our processes related to information security and defense against cybersecurity threats are appropriately designed and implemented to best prevent, detect and/or respond to a cyber threat or event. Architecture : Our information security architecture is focused on designing IT-related solutions that are foundationally secure. Our information security architecture assumes that internal and external threats always exist, and that all networks are inherently hostile. Accordingly, all connections accessing business assets must first be authenticated and authorized. Where viable, IT services are individually secured and monitored at the source, following the principle of least privilege. Operations (Detect and Respond) : In the event of a cybersecurity incident, the Elanco Information Security Incident Response Plan (ISIRP) defines the roles, responsibilities, procedures and reporting processes required to respond effectively to cybersecurity incidents. Responses to information security incidents are led by two teams: 1) the Security Operations Center (SOC) team, which conducts the initial technical triage and analysis, and 2) a cross-functional team of leaders from the IT, Legal, Human Resources and Finance functions (the Cyber Lead team), which is engaged by the CISO on an as needed basis, based on incident severity. The Cyber Lead team is tasked with confirming the severity of a cybersecurity incident and bringing together the proper resources to lead the corporate-wide response to such incidents, including engaging the Company’s Disclosure Committee, in the event an incident may rise to a level deemed material to us. In the event an incident is escalated by the Cyber Lead team, the Disclosure Committee, led by our Chief Financial Officer and General Counsel, would evaluate all estimable quantitative and qualitative factors, to determine if a Current Report on Form 8-K would be required under Item 1.05, “Material Cybersecurity Incidents.” For the year ended December 31, 2024, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. For more information on potential risks related to cybersecurity threats and incidents, please see “Item 1A. Risk Factors - Breaches of our IT systems or improper disclosure of confidential company or personal data, or a failure to comply with privacy laws, regulations and our contractual obligations concerning data privacy or the security of certain information, could have a material adverse effect on our reputation and operations.” Management’s Responsibilities Management is responsible for executing the Cybersecurity Risk Management, Strategy and Governance policies outlined above. This is done, in part, by both establishing systems, processes and controls to minimize the risk of a high severity cybersecurity incident as much as possible, as well as ensuring there is a formal process designed to identify, investigate and appropriately respond to potential cybersecurity incidents. As noted, we have established our ISIRP as a response tool in the event of a cybersecurity incident. The ISIRP documents the actionable steps the SOC team, information security leadership and cross-functional stakeholders and partners take when a cybersecurity incident is identified. The ISIRP covers the preparation, detection and analysis, containment, eradication, recovery and post-incident activities required to effectively respond to an incident. Once a cybersecurity incident has been identified, the SOC team performs an initial investigation to determine if the incident is deemed high or low severity, based upon the business and operational impacts. Any incident deemed high severity would result in notification by the CISO to the Cyber Lead team to determine the appropriate actions to be taken. This determination would be made by the Cyber Lead team based on both qualitative and quantitative factors regarding the extent and magnitude of the incident. If the incident is then escalated to the Disclosure Committee and determined to be material, a disclosure via a Current Report on Form 8-K would be made within four business days of the incident being identified as such. Our Board of Directors would also be notified of any high severity incidents that are determined to be material, concurrently with the notification to the Disclosure Committee, and would be kept apprised of actions taken in response to such incidents. Our information security team is also responsible for cybersecurity awareness and education across the company, including our Board of Directors. Awareness empowers users, including our employees and contractors, to be mindful of cybersecurity in day-to-day situations. Our cybersecurity education practices help ensure specific users have the appropriate security skills and competencies to help prevent and/or detect and respond to a cyber threat. Formal training is delivered and measured throughout our organization on a routine, ongoing basis, and dedicated training is delivered to all new employees and contractors through our onboarding process. Targeted and company-wide communications, as well as simulated phishing campaigns and tabletop exercises are also routinely executed to promote ongoing awareness, preparation and education about cyber threats. Board of Directors’ Responsibilities Our Board of Directors actively oversees our cybersecurity management processes, including appropriate risk mitigation strategies, systems, processes and controls. Our CISO meets with the Audit Committee of the Board of Directors and separately with the full Board of Directors at least twice annually to discuss the status of policies and procedures related to information security. Discussions with the Audit Committee and the full Board of Directors focus on any notable incidents and incident responses, updates on known or perceived cyber threats and the information security team’s recent actions taken in response to such incidents and threats. In addition, our Board of Directors and the Audit Committee also receive updates from the CISO and/or our CIO on an ad-hoc or as-requested basis. Any incidents or changes to our process of identifying and responding to potential cybersecurity incidents would be included within these materials. According to our ISIRP, our Board of Directors would also be notified of any high severity incidents deemed material, simultaneously with the notification to the Disclosure Committee, and would be kept apprised of actions taken in response to such incidents.
Company Information
| Name | Elanco Animal Health Inc |
| CIK | 0001739104 |
| SIC Description | Pharmaceutical Preparations |
| Ticker | ELAN - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |