OMNICELL, INC. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

OMNICELL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:27:55 EST.

Filings

10-K filed on 2025-02-27

OMNICELL, INC. filed a 10-K at 2025-02-27 16:27:55 EST
Accession Number: 0000926326-25-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY In general, the Company addresses cybersecurity risks through a comprehensive approach that is focused on preserving the security of its information and by identifying, preventing and mitigating cybersecurity threats, as well as effectively responding to cybersecurity incidents when they occur. The Company believes that this comprehensive approach helps to ensure that the highest levels of oversight is provided to its cybersecurity risk management activities and fosters collaborative consultation between management and the Board. Board Oversight As part of its risk oversight function, the Audit Committee of the Company’s Board of Directors is primarily responsible for overseeing and reviewing the Company’s information security and technology risks, including cybersecurity. In this role, the Audit Committee monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through the regular receipt of reports from management on the effectiveness of its cybersecurity programs. These reports include semi-annual cybersecurity updates from the Company’s Chief Information Officer and quarterly reports from the Company’s risk management personnel on the progress of the Company’s broader Enterprise Risk Management (“ERM”) risk mitigation activities. As part of the ERM process, the Audit Committee provides input on key risks for the Company to consider. The Board also provides quarterly input on its views regarding potential emerging risk areas for the Company. The Audit Committee then reports to the full Board on a quarterly basis regarding its oversight activities and the risk management activities of the Company. In addition, the full Board periodically participates in cybersecurity-related table-top exercises and receives incident reports from the SIRT (as defined herein) as significant matters may arise . Enterprise Risk Management The Company utilizes a structured, biannual ERM process to identify, assess, and address material risks facing the Company, including cybersecurity risks, during which business leaders across the Company are surveyed about current and emerging risk areas. After the ERM survey is completed and risk areas are identified, the results are discussed with the relevant management personnel across the organization in the key risk areas, root causes are analyzed, risk mitigation plans are developed, and key risk indicators are utilized to monitor mitigation efforts. The Chief Information Officer works closely with the Company’s management team in all facets of its ERM risk mitigation activities related to cybersecurity and information security risks. Ongoing Mitigation Efforts The Company has implemented a number of security measures designed to protect its systems and data, including firewalls, antivirus and malware detection tools, patches, log monitors, routine back-ups, system audits, system hardening, penetration testing and privileged access session management. In addition, the Company has continued its efforts to migrate its platforms to cloud-based computing, which is designed to further strengthen its security posture. The Company has focused on its incident response procedures and retained a leading incident response provider. The Company has also recently strengthened its disaster recovery procedures. The Company’s solutions incorporate cybersecurity features that are routinely analyzed. In addition, the Company maintains insurance that responds to cyber-attacks, which coverage limit and cost is discussed and reviewed with the Audit Committee annually. The Company has what it believes are appropriate physical, technical, and administrative controls in place that are designed to protect customers’ data. The Company uses a three-pronged approach focused on further reducing exposure, raising greater security awareness, and further strengthening the Company’s cybersecurity defenses. This approach resulted in the Company further hardening its identity computing environments as part of its progress to a zero trust environment, heightened cybersecurity awareness efforts through increased comprehensive information security awareness training for employees on a quarterly basis , and the strengthening of the Company’s cybersecurity defenses through implementation of multifactor authentication for Privileged Access Management and Endpoint Detection and Response solutions across the Company’s computing environment. Incident Response In the event of a cybersecurity incident, dependent upon the nature of the incident, the Company has a Security Incident Response Team (“SIRT”) that is comprised of employees who have responsibility and authority to act during a cyber incident without delay, including, dependent upon the nature of the incident, the Company’s Chief Legal Officer, Chief Information Security Officer and Chief Information Officer. The SIRT includes individuals responsible for assessing, containing, and responding to incidents, as well as those responsible for assessing the business and legal impacts, reporting incidents as appropriate, communicating to internal and external stakeholders, and engaging with industry and government response partners to coordinate information and resource sharing when needed. During a cybersecurity incident, as warranted, the SIRT keeps the Company’s senior leadership and Board apprised of the response to the incident, any material operational or business impacts, and any material internal or external communications regarding the incident. The SIRT will also seek the input of the Company’s senior leadership and Board, as needed, when addressing a cybersecurity incident. Upon resolution of a cybersecurity incident, generally, the Audit Committee will review the incident, the impact and the mitigation efforts and remediation actions the Company will implement. The Audit Committee then monitors the completion of the remediation actions and mitigation efforts. Cybersecurity Leaders in Management The Company’s IT strategy and implementation is overseen by a dedicated Chief Information Officer with over 20 years of experience in the field, including previously serving a 17-year tenure, most recently as Vice President of Global IT, with a global technology leader of fiber optic subsystems and components. He holds a Bachelor of Science in Computer Science and Engineering from Andhra University in India and an MBA from the Indian School of Business. In addition, the Company has engaged a Chief Information Security Officer (“CISO”) that has built and managed world-class information security programs and technology teams for industry leading global companies. She has deep experience securing healthcare-focused companies in both the provider and supplier space. She holds a Bachelor of Science from the University of Redlands and an MBA from Notre Dame De Namur University along with holding certified information systems security professional (“CISSP”) and certified information security manager (“CISM”) certifications. Third Parties The Company utilizes third-party service providers, such as cloud services, in connection with its operations, and its information security department implements a third-party risk assessment and review process in connection with those services to evaluate security posture and risk. The Company also engages third parties to assist in its cybersecurity management efforts, such as the leading incident response provider mentioned above and another provider to perform continuous monitoring and regular penetration testing of its information security systems and environment. The Company and its personnel also actively engage with a number of other key vendors, industry participants and intelligence and law enforcement communities as part of its information security and cybersecurity efforts.

Company Information