PFIZER INC 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

PFIZER INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:27:18 EST.

Filings

10-K filed on 2025-02-27

PFIZER INC filed a 10-K at 2025-02-27 16:27:18 EST
Accession Number: 0000078003-25-000054

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Managing cybersecurity risk is a crucial part of our overall strategy for safely operating our business. We incorporate cybersecurity practices into our Enterprise Risk Management (ERM) program. Management is responsible for assessing and managing risk, including through the ERM program, subject to oversight by our BOD. Our cybersecurity policies and practices are aligned with NIST (National Institute of Standards and Technology) industry standards. Consistent with our overall ERM program and practices, our cybersecurity program includes: - Vigilance : We maintain a global cybersecurity operation that endeavors to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing business disruptions. - External Collaboration : We collaborate with public and private entities, including intelligence and law enforcement agencies, industry groups and third-party service providers to identify, assess and mitigate cybersecurity risks. - Systems Safeguards : We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include firewalls, intrusion prevention and detection systems, disaster recovery capabilities, malware and ransomware prevention, access controls and data protection. We continuously conduct vulnerability assessments to identify new risks and periodically test the efficacy of our safeguards through both internal and external penetration tests. - Education : We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity events. - Supplier Ecosystem Management : We extend our cybersecurity management control expectations to our supply chain ecosystem, as appropriate. This includes identifying cybersecurity risks presented by third parties. - Incident Response Planning : We have established, and maintain and periodically test, incident response plans that direct our response to cybersecurity events and incidents. Such plans include the protocol by which certain significant or potentially material incidents would be communicated to executive management, our BOD, external regulators and shareholders, as appropriate. - Enterprise-Wide Coordination : We engage relevant stakeholders from across the Company to identify emerging risks and respond to cybersecurity threats. This cross-functional approach includes personnel from our R&D, manufacturing, commercial, technology, legal, compliance, internal audit and other business functions. Pfizer Inc. 2024 Form 10-K 24 - Governance : Our BOD’s oversight of cybersecurity risk management is led by the Audit Committee, which oversees our ERM program. Cybersecurity threats, risks and mitigation are periodically reviewed by the Audit Committee and such reviews include both internal and independent assessment of risks, controls and effectiveness. Our risk assessment efforts have indicated that we are a target for theft of intellectual property, financial resources, personal information, and trade secrets from a wide range of actors including nation states, organized crime, malicious insiders and activists. The impacts of attacks, abuse and misuse of Pfizer’s systems and information could include, without limitation, loss of assets, operational disruption and damage to Pfizer’s reputation. A key element of managing cybersecurity risk is the ongoing assessment and testing of our processes and practices through auditing, assessments, drills and other exercises focused on evaluating the sufficiency and effectiveness of our risk mitigation. We regularly engage third parties to perform assessments of our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. Certain results of such assessments and reviews are reported by the Chief Information Security Officer (CISO) to certain senior leaders, the Audit Committee and the BOD, as appropriate, and we make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews . The Audit Committee oversees cybersecurity risk management, including the policies, processes and practices that management implements to prevent, detect and address risks from cybersecurity threats. The Audit Committee receives periodic briefings on, and discusses with our CISO, cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and considerations arising from our supplier ecosystem. The Audit Committee may also promptly receive information regarding certain significant or potentially material cybersecurity incidents that may occur, including any ongoing updates regarding the same. Our CISO is a member of our management team who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. We believe our CISO and the information security organization have the appropriate expertise, background and depth of experience relating to monitoring the prevention, mitigation, detection and remediation of cybersecurity incidents to manage risks arising from cybersecurity threats. The CISO works in coordination with other members of the management team, including, among others, the Chief Digital Officer, the Chief Financial Officer and the Chief Legal Officer and their designees. Our CISO, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to cybersecurity incidents. Prompt response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the CISO monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the Audit Committee and other Pfizer colleagues in accordance with our cybersecurity policies and procedures, as is appropriate. For the fiscal year ended December 31, 2024 , we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For further discussion of the risks associated with cybersecurity incidents, see the Item 1A. Risk Factors-Information Technology and Security section in this Form 10-K.

Company Information