TEVA PHARMACEUTICAL INDUSTRIES LTD 10-K Cybersecurity GRC - 2024-02-12

Page last updated on April 11, 2024

TEVA PHARMACEUTICAL INDUSTRIES LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-12 07:01:22 EST.

Filings

10-K filed on 2024-02-12

TEVA PHARMACEUTICAL INDUSTRIES LTD filed an 10-K at 2024-02-12 07:01:22 EST
Accession Number: 0001193125-24-031005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management Program Overview As cybersecurity threats rapidly evolve in sophistication and become more prevalent, especially with the increasing use of artificial intelligence technology, we have implemented a cybersecurity risk management program as part of our oversight, evaluation and mitigation of enterprise-level risks. Our cybersecurity risk management program leverages a combination of processes, technologies and personnel with expertise in cybersecurity to comply with applicable regulations and detect and respond to cyber-attacks, data breaches, security incidents, and compromises of personal information, as well as to regularly and promptly inform management and our Board of Directors of any significant cybersecurity risks and developments. Our cybersecurity risk management program is led by our global Chief Information Security Officer ( CISO ), who is directly responsible for establishing cybersecurity strategies and structures and managing ongoing cybersecurity risk management activities through our information security office, which is responsible for the day-to-day identification, monitoring and management of cybersecurity risks. Our CISO reports directly to our global Chief Information Officer ( CIO ). Our CISO has significant experience in managing cybersecurity risks at major global companies in the pharmaceutical and defense industries. Our CISO regularly meets with the CIO to provide updates on cybersecurity matters. Our CIO updates our executive management on a regular basis 50 Table of Contents to share cybersecurity related matters and discuss strategies to proactively manage cybersecurity threats. Our CISO and CIO brief our Audit Committee on our cybersecurity and risk management programs. Our information security office is supported by a team consisting of personnel with experience and expertise in cybersecurity risk management strategies, execution and operations, with domain expertise in cloud services security, infrastructure and operational technology security, cybersecurity incident response, and tactical governance risk compliance. Our CISO and CIO are also members of our information and security governance group, led by our CIO, which is comprised of executive and senior leadership from a variety of functions, including information security, corporate security, legal, finance, human resources, internal audit and compliance, as well as members of Teva s global situation room ( GSR ). Additionally, our CISO, CIO and other members of our information security office may, from time to time, consult and coordinate with other Teva departments and members of management to manage cybersecurity risks and implement cybersecurity incident responses. In addition, management has worked, and expects to continue to work, with third-party service providers, as appropriate, to assess, identify and manage cybersecurity risks. Management also conducts periodic and on-demand assessments of our cybersecurity risk management program with expert service providers to ensure it complies with and meets current ISO 27001 standards. In early 2024, our management team performed an exercise tabletop relating to potential cybersecurity risks. As part of its overall risk oversight function, our Audit Committee, which is comprised entirely of independent directors, considers cybersecurity risks in connection with overseeing our overall enterprise risk management system. Management, including our CISO and CIO, provide updates on our cybersecurity risk management program and cybersecurity matters to the Audit Committee, and also reports to the Board of Directors as necessary. During 2023, the Board received dedicated cybersecurity training and performed an exercise tabletop relating to potential cybersecurity risks. As part of our cybersecurity risk management program, we maintain industry standard procedures and policies, which are reviewed and revised frequently, and certified to comply with ISO 27001 standards, to both proactively assess, identify and manage potential cybersecurity risks and respond to any actual cybersecurity threats and incidents. Such procedures and policies include: actively monitoring our information technology systems to ensure compliance with applicable legal and regulatory requirements; engaging third-party consultants and other service providers to monitor and, as appropriate, respond to cybersecurity risks; requiring our service providers and our business partners who connect directly to our information technology systems, to comply with our cybersecurity standards, due diligence processes and be subject to our non-disclosure and other confidentiality agreements that include cybersecurity-related terms; providing and analyzing specialized industry sector intelligence on cybersecurity threats; regularly testing our cybersecurity systems and disaster preparedness, including our back-up information technology systems; developing and updating incident response plans to address potential cybersecurity threats; and maintaining and training our personnel on cybersecurity incident reporting procedures. Cyber Threats and Incident Response In the ordinary course of our business, we collect and store confidential data, including intellectual property, proprietary business information and personally identifiable information (including of our employees, customers, suppliers and business partners). We rely extensively on information technology systems, including some systems that are managed by third-party service providers, to securely process, store and transmit such confidential data in order to conduct our business. These systems include programs and processes relating to internal and external communications, ordering and managing materials from suppliers, collecting, processing and storing data produced by our clinical trials and other research and development initiatives, converting materials to finished products, shipping products to customers, processing transactions, processing payments to employees and vendors, calculating sales receivables, generating our financial results for each reporting period, summarizing and reporting results of operations, and complying with information technology security compliance and other regulatory, legal or tax requirements. 51 Table of Contents We have not been materially impacted by risks from cybersecurity threats and as of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, our systems and networks have been, and are expected to continue to be, the target of increasingly advanced and evolving cyber-attacks and cybersecurity incidents in the future may adversely impact our business, financial condition and results of operations, and we are continuing to actively monitor such threats. For more information, see Item 1A, Risk Factors Risks related to our general business and operations Significant disruptions of our information technology systems could adversely affect our business and Item 1A, Risk Factors Risks related to our general business and operations A data security breach could adversely affect our business and reputation. In the event that we experience a cybersecurity incident, we have a cybersecurity incident response playbook that sets forth the applicable processes, roles, engagements, escalations and notifications to be executed in order to promptly respond to such threats. Depending on its nature and scale, a cybersecurity threat may be managed within our information security office, escalated to our CISO and CIO, or escalated to our management, and Board of Directors and Audit Committee, as appropriate. In certain instances, our GSR may be initiated and will collectively manage Teva s response to a crisis on a corporate level. The GSR is comprised of members from our various business units and regions, including senior leadership from a variety of functions, such as information security, legal, finance, human resources, communications and compliance. We carry insurance that provides protection against the potential losses arising from a cybersecurity incident. However, there is no assurance that our insurance coverage will cover or be sufficient to cover all losses or claims that may result from a cybersecurity incident.

Company Information