INDIVIOR PLC 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

INDIVIOR PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 16:35:10 EST.

Filings

10-K filed on 2025-03-03

INDIVIOR PLC filed a 10-K at 2025-03-03 16:35:10 EST
Accession Number: 0001625297-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy The Company recognizes the increasing sophistication of cyber threats, including phishing, malware attacks, and ransomware, affecting industries worldwide. Because we collect, store and transmit confidential information, including intellectual property, proprietary business information, and personal information in the ordinary course of our business, we are often the subject of various cyber-attacks. We may also be targeted by organized crime because of the nature of our products. Therefore, the Company has a number of processes for assessing, identifying, and managing material risks from cybersecurity threats as outlined below. In particular, the Company’s cybersecurity risk management and strategy efforts encompass various measures, including: a. Risk Assessment Framework: The Company endeavors to assess cyber risks in an ever-evolving cybersecurity threat landscape and seeks to grow the maturity of its infrastructure to defend against these ever-evolving cybersecurity threats. The Company uses a risk assessment framework as part of its risk management process related to cybersecurity, which includes the evaluation of potential vulnerabilities, threats, and impacts on the organization’s information systems and data. This includes assessing the likelihood and potential consequences of identified cyber risks and threats to the enterprise. b. Business Operating Standards: The Company has established business operating standards, monitoring processes, and a business resilience program to support the continuity of operations in the face of potential disruptions. c. IT Strategy and Governance: The Company maintains IT strategies, governance frameworks, policies, processes, and disaster recovery plans which are aligned with overall business continuity objectives. d. Incident Response Plan: The Company maintains an incident response plan that outlines specific steps to be taken in the event of a cybersecurity incident. This plan includes procedures for containing the incident, mitigating its impact, and recovering affected systems and data. e. Security Measures: The Company deploys a large number of processes and tools to attempt to secure its systems and protect sensitive data. Indivior’s information security program is aligned with the NIST 800-53 CSF framework. f. Employee Training and Awareness: The Company actively works to promote a culture of security awareness including by investing in ongoing employee training and awareness programs. The Company conducts security exercises and provides training modules that cover topics like recognizing phishing attempts and maintaining strong password practices. g. Third-Party Risk Management : We also use a number of third-party vendors who have or could have access to our confidential information. The Company has established processes to evaluate and manage cybersecurity threats associated with certain third-party service providers. The Company continues to evolve its third-party risk review processes for new and existing, critical third-party service providers. 100 h. Regular Audits and Assessments: Periodic internal and external audits and assessments are conducted periodically to evaluate the effectiveness of the cybersecurity measures in place. These audits help in identifying areas for improvement and compliance with industry standards and regulations. i. Incident Simulations: The Company conducts periodic incident simulation exercises to test the effectiveness of its incident response plans and the readiness of personnel to contain, remediate and minimize the impact in the event of a cybersecurity incident. These exercises help in refining response strategies and improving preparedness. j. Use of Experts : From time to time, the Company engages a variety of third parties with expertise in cybersecurity to conduct independent assessments and provide recommendations for enhancing its cybersecurity posture. k. ERM Integration: The Company integrates the results of the Company’s cyber risk assessment into its Enterprise Risk Management process , which is designed to identify, assess, manage, report, and monitor risks and opportunities affecting the achievement of the Company’s strategy and objectives. Following a cybersecurity incident, and during its investigation and the formulation of a response, our processes also envision measures designed to contain and/or eradicate the incident and prevent further effects. Once it is determined that the incident has been resolved, we then work to establish appropriate controls (if applicable) to address similar future events and/or prevent another similar event from occurring in the future. To date, we have not experienced any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Governance The Audit & Risk Committee of the Board oversees the Company’s cybersecurity efforts. The Company’s cybersecurity efforts are managed by the Chief Information Security Officer (“CISO”) who has over 20 years of experience as a security professional in the pharmaceutical industry. The CISO reports directly to the Chief Information and Innovation Officer (“CIIO”), who has over 30 years of experience as an Information Technology (“IT”) professional including 15 years in leadership roles in the pharmaceutical, medical device and diagnostics industry, and was formerly Chief Information Officer and VP Global Supply Chain, Immucor, VP Global Information Services, Smith & Nephew, Sr. IT Director, Medtronic, and Sr. Manager, Deloitte Consulting. The Audit & Risk Committee receives updates on an annual basis from the CIIO and CISO on the Company’s Cybersecurity strategy approach to IT and cybersecurity, including on the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Audit & Risk Committee also receives briefings as necessary on cyber risks and current threats directly from external cybersecurity experts. The CISO oversees the Company’s governance programs, tests compliance with standards, works to remediate known risks, and leads our employee training program. The CISO is informed and monitors the latest developments in cybersecurity, including potential threats and innovative risk management techniques. In the event of a cybersecurity incident, the CISO is equipped with a specific incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. As is necessary, the CISO and the CIIO, working at the direction of the Chief Legal Officer and outside counsel, inform the Audit & Risk Committee of any cybersecurity incidents and inform the Board directly of any material cybersecurity incidents. See also “Item 1A. Risk Factors- Business interruptions or breaches of data security could disrupt our product sales and delay the development of our product candidates. " 101

Company Information