Page last updated on March 3, 2025
Organon & Co. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:55:19 EST.
Filings
10-K filed on 2025-02-28
Organon & Co. filed a 10-K at 2025-02-28 16:55:19 EST
Accession Number: 0001821825-25-000006
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy. We depend on sophisticated software applications, complex information technology systems, computing infrastructure and cloud service providers (collectively, “Information Systems”) to conduct critical operations. Certain of these systems are managed, hosted, provided, or used by third parties. We implement processes for the assessment, identification, and management of material risks from cybersecurity threats; however, disruption, degradation, destruction or manipulation of our Information Systems through intentional or accidental means by our employees, third parties with authorized access or cyber threat actors could adversely affect key business processes . The size and complexity of our Information Systems, and those of our third-party providers with whom we contract, make such systems potentially vulnerable to service interruptions. In addition, we and our third-party providers have -35- Table of Contents experienced and expect to continue to experience phishing attempts, scanning attempts of our network, and other attempts of unauthorized access to our computers, digital systems, networks, or devices. Such attacks are increasingly sophisticated and are made by groups and individuals with a wide range of motives and expertise, including state and quasi-state actors, criminal groups, “hackers” and others. These attacks could lead to loss of confidentiality, integrity and/or availability of our data and Information Systems. In the ordinary course of business, we and our third-party providers collect, store and transmit large amounts of confidential information (including trade secrets or other intellectual property, proprietary business information and personal information), and we must do so in a secure manner to maintain the confidentiality and integrity of such confidential information. While we have controls to protect such information, and aim to ensure that the third-party providers on which we rely have taken steps to protect such information, such controls may not be adequate. A breach of our Information Systems or those of our third-party providers, such as cloud-based systems, or the accidental loss, inadvertent disclosure, unapproved dissemination, misappropriation or misuse of trade secrets, proprietary information, or other confidential information, whether as a result of theft, hacking, fraud, trickery, other forms of deception, or any other cause, could enable others to produce competing products, use our proprietary technology or information, and/or adversely affect our business position. Further, any such interruption, security breach, or loss, misappropriation, and/or unauthorized access, use or disclosure of confidential information, including personal information regarding our consumers and employees, or the modification of critical data, could result in financial, legal, business, and reputational harm to us, including loss of revenue, loss of critical or sensitive information from our or our third-party providers’ databases or Information Systems, and substantial remediation and recovery costs. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to our data and systems, including malware and computer virus attacks. We use information security and data privacy programs and practices designed to foster the safe, secure, and responsible use of the information and data our stakeholders entrust to us. We work with our customers, governments, policymakers, and others to help develop and implement standards for safe and secure transactions, as well as privacy-centric data practices. Independent third parties test our cyber capabilities and audit our cloud security. We leverage third parties to test and assess our cyber capabilities. We regularly test our systems to discover and address any potential vulnerabilities. Cybersecurity Governance. Our Audit Committee has primary responsibility for overseeing our risk-management program relating to cybersecurity, although the Board participates in periodic reviews and discussion dedicated to cyber risks, threats, and protections. Our information security and privacy programs provide that the Board receives annual reports from our Chief Information Security Officer and Chief Ethics and Compliance Officer to discuss our program for managing information security risks, including security risks, the risk of cybersecurity incidents and, if applicable, remediation of any potential cybersecurity incidents. The Audit Committee receives regular briefings on both information security and data privacy from the Chief Information Security Officer and Chief Ethics and Compliance Officer , respectively. The Audit Committee receives periodic updates regarding our cybersecurity risk management program, and reports to the Board on the principal risks facing us and the steps being taken to manage and mitigate these risks. Both the Board and the Audit Committee receive periodic reports on our cyber readiness, security controls and our cybersecurity investments. In addition, our directors are apprised of incident simulations and response plans, including for cyber and data breaches. Our information security program is managed by our Chief Information Security Officer (“CISO”), who leads our enterprise-wide cybersecurity risk management, strategy, policy, standards, architecture, and processes. Our CISO has over 30 years of experience in information technology, including over 10 years in information security. She holds a B.S. in Computer Science and a Master of Management. Additionally, she served as an executive committee member of the Health Sector Coordinating Council Cybersecurity Working Group and is a Certified Information Systems Security Professional (“CISSP”). Supporting our CISO is our Deputy CISO, who serves as the primary backup to the CISO and helps oversee our information security program. Our Deputy CISO has over 20 years of experience in information technology, including over 10 years in information security. He holds a BS in Electronics Engineering and has served as the chair of the risk and vulnerability working groups at the Health Information Sharing and Analysis Center. For additional information, see “Risk Factors - We are subject to a significant number of privacy and data protection laws and regulations globally, many of which place restrictions on our ability to transfer, access and use personal data across our business”; “- We depend on sophisticated software applications and computing infrastructure. Cyberattacks affecting our IT systems could result in exposure of confidential information, the modification of critical data or the disruption of our worldwide operations, including manufacturing and sales operations”; “- Reliance on third-party relationships and outsourcing arrangements could materially adversely affect our business” and “- We are subject to a significant number of privacy and data protection laws and regulations globally, many of which place restrictions on our ability to transfer, access and use personal data across our business.” -36- Table of Contents
Company Information
| Name | Organon & Co. |
| CIK | 0001821825 |
| SIC Description | Pharmaceutical Preparations |
| Ticker | OGN - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |