DEXCOM INC 10-K Cybersecurity GRC - 2024-02-08

Page last updated on April 11, 2024

DEXCOM INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 17:14:40 EST.

Filings

10-K filed on 2024-02-08

DEXCOM INC filed an 10-K at 2024-02-08 17:14:40 EST
Accession Number: 0001093557-24-000021

Item 1C. Cybersecurity.

Risk Management and Strategy

We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats, which are integrated into our overall enterprise risk management processes. The processes for assessing, identifying and managing material risks from cybersecurity threats, including threats associated with our use of third-party service providers, include identifying the relevant assets that could be affected, determining possible threat sources and threat events, assessing threats based on their potential likelihood and impact, and identifying controls that are in place or necessary to manage and/or mitigate such risks.

We have established cybersecurity and privacy programs to maintain the confidentiality, integrity, availability, and privacy of protected information and ensure compliance with relevant security/privacy regulations, contractual requirements, and industry-standard frameworks. Our cybersecurity program includes annual review and assessment by external, independent third parties, who certify and report on these programs. For example, our Information Security Management System (ISMS) is certified as being in conformity with ISO/IEC 27001 by SRI Quality System Registrar. We maintain cybersecurity and privacy policies and procedures in accordance with industry-standard control frameworks and applicable regulations, laws, and standards. All corporate cybersecurity policies are reviewed and approved by senior leadership at least annually as part of our ISMS.

Our cybersecurity controls, which are the mechanisms in place to prevent, detect and mitigate threats in accordance with our policies and procedures, are based on the regulatory requirements to which we are subject and are monitored and tested both internally and externally by third parties at least annually. These controls include regular system updates and patches, employee training on cybersecurity and privacy requirements, incident reporting, and the use of encryption to secure sensitive information. In addition, we also regularly perform phishing tests of our employees and update our training plan at least annually. We maintain business continuity and disaster recovery capabilities to mitigate interruptions to critical information systems and/or the loss of data and services from the effects of natural or man-made disasters to Dexcom locations. We also provide annual privacy and security training for all employees. Our security training incorporates awareness of cyber threats (including but not limited to malware, ransomware and social engineering attacks), password hygiene, incident reporting process, as well as physical security best practices.

In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from security incidents were immaterial. As a result, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected us, our results of operations and financial condition. However, as discussed under “Risk Factors” in Part I, Item 1A of this Annual Report, cybersecurity threats pose multiple risks to us, including potentially to our results of operations and financial condition. See “Risk Factors - Risks Related to Privacy and Security.” As cybersecurity threats become more frequent, sophisticated and coordinated, it is reasonably likely that we will be required to expend greater resources to continue to modify and enhance our protective measures as we pursue our strategy that includes developing and commercializing products that integrate our CGM technologies into insulin delivery systems or data platforms of our partners. The technology integration and cloud-based depository platforms we continue to focus on can make us more vulnerable to cybersecurity threats, thereby making our pursuit of such strategies more costly.

Governance

Our Board of Directors is responsible for exercising oversight of management’s identification and management of, and planning for, risks from cybersecurity threats. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Board’s Technology Committee. The Technology Committee reports to the Board as necessary with respect to its activities, including making such reports and recommendations to the Board and its other committees as necessary and appropriate and consistent with its purpose, described below.

The Technology Committee, comprised of independent Board members, is responsible for reviewing cybersecurity, privacy, data protection and other major technology risk exposures of the Company, the steps management has taken to monitor and control such exposures, and the Company’s compliance with applicable cybersecurity and data privacy laws and industry standards. These reviews are provided at least quarterly. The Technology Committee receives management updates and reports, primarily through the Company’s Cybersecurity and Privacy Committee, a multidisciplinary team responsible for the overall governance, decision-making, risk management, awareness and compliance for cybersecurity and privacy activities across the Company.

The Cybersecurity and Privacy Committee is co-chaired by our Information Security Officer (ISO), Product Security Officer (PSO), and Chief Privacy Officer (CPO), and its members include executive officers of the Company, including our Chief Technology Officer, Chief Financial Officer, Chief Information Officer, and Chief Legal Officer, as well as representatives from the finance, internal audit, quality, regulatory, and legal teams. Management’s role in assessing and managing the material risks from cybersecurity threats is accomplished primarily through the committee.

Members of the Cybersecurity and Privacy Committee have broad ranges of expertise and experience in information technology and security. Our ISO, a co-chair of the committee, has over fifteen years of experience in the field of information security management, having previously led security operations and infrastructure and IT functions for a public university campus and a non-profit organization, and holds several licenses and certifications relating to information security, including a Certified Information Systems Security Manager from the Information Systems Audit and Control Association (ISACA), a Certified Information Systems Security Professional (CISSP) from the International Information Security System Security Certification Consortium (ISC2) and several technical cybersecurity certifications from the Global Information Assurance Certification (GIAC). Our PSO, also a co-chair of the committee, has over twenty-five years of previous experience in cyber security architecture and cyber security management for a number of large Fortune 500 technology companies and holds several certifications including CISSP from the International Information Security System Security Certification Consortium , C-CISO from EC-Council, Numerous certifications from Microsoft, CISCO, Juniper, Checkpoint among others and has completed several advanced GIAC security classes from the SANS Institute.

Our ISO reports directly to our Senior Vice President, Chief Information Officer (CIO), who is a member of the committee. He has held this role at Dexcom since 2021, having previously served as our Senior Vice President, Information Technology since 2018 and Vice President, Information Technology from 2016 to 2018. Our CIO also has a wide range of experience within global organizations in the field of information technology, including having served in various IT leadership roles at CareFusion, a Becton Dickinson Company, from 2012 to 2016, and ResMed in San Diego from 2007 to 2012. He holds a Bachelor of Engineering in Mechanical Engineering and a Master of Industrial Engineering. Our PSO reports directly to our Executive Vice President, Chief Technology Officer (CTO), who is also a member of the committee. Our CTO has held this role since 2022 and has 25 years of experience spanning consumer electronics, data storage, IoT and broadband industries. From 2011 to 2022 he worked at Technicolor (now known as Vantiva), most recently serving as Chief Technology Officer and General Manager of the Broadband Business Division. In addition to an MBA, he holds a Master of Science in Mechanical Engineering and a Bachelor of Mechanical Engineering.

The prevention, detection, mitigation and remediation of cybersecurity incidents at Dexcom is accomplished pursuant to various policies, procedures and processes, including incident response plans and the cybersecurity and privacy programs and controls described above under “Risk Management and Strategy.” These measures include escalation protocols through which the Cybersecurity and Privacy Committee is informed about cybersecurity and incidents by our ISO and PSO, who are informed through our business units. As described above, members of the Cybersecurity and Privacy Committee provide updates to the Technology Committee of the Board on a regular basis, and the full Board receives updates from the Technology Committee. In addition, there are protocols in place for immediate escalation in the event of any cybersecurity issues or developments that may require consideration between regularly scheduled Technology Committee or Board meetings.

Company Information