Bausch & Lomb Corp 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Bausch & Lomb Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:55:05 EST.

Filings

10-K filed on 2024-02-21

Bausch & Lomb Corp filed an 10-K at 2024-02-21 16:55:05 EST
Accession Number: 0001860742-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity risk management is an integral part of our overall enterprise risk management program. In order to assess, identify, manage and address the risk of cybersecurity threats or incidents, the Company has established a Cybersecurity Risk Management Program, which uses a risk-based approach to implement multi-layered controls designed to enable the Company to maintain agility while protecting critical infrastructure and data. This program, which is an integral part of our overall enterprise risk management program, implements controls and frameworks designed to align with industry best practices, including those based on the National Institute of Standards and Technology Cybersecurity Framework, the Sarbanes-Oxley Act of 2002 and HIPPA. The Cybersecurity Risk Management Program is designed to identify potential vulnerabilities and threats and develop strategies to mitigate and remediate them. To assess, identify, manage, address and minimize the effects of a cybersecurity threat or incident, or a series of related cybersecurity threats or incidents, the Company undertakes a range of activities, including monitoring of its systems and networks, incident response planning, and employee training. The Company also has business continuity and disaster recovery plans in place in the event of a cybersecurity incident, which are regularly reviewed and updated as needed. The Company also regularly engages third-party assessors, consultants, auditors, and other experts to help identify, assess and address potential threats or incidents. The Cybersecurity and Risk Management Team, as described below, is responsible for the operationalization of the Company’s cybersecurity practices, which consists of, but are not limited to: (i) updating and enhancing the Cybersecurity 52 Risk Management Program, (ii) overseeing third-party assessors, consultants, auditors, and other experts, and (iii) assessing, identifying, managing and addressing potential threats or incidents. When a cybersecurity threat or incident is identified, the Cybersecurity and Risk Management Team will perform a technical investigation which typically consists of the following phases: i. Detection, which includes identifying the threat or incident, gathering all available facts surrounding the matter and performing an initial analysis to determine its level of severity. If the incident is classified as Severity 1, the Materiality Committee, as defined below, is notified to further assess the matter. ii. Containment and Eradication, which includes determining the cause and vulnerabilities so that the threat or incident can be isolated and eliminated. iii. Recovery, which includes repairing the impacted systems, and if applicable, notifying and instructing impacted parties of next steps. iv. Post-Incident, which includes issuing a report summarizing the threat or incident, and the steps taken in assessing and eliminating the threat, as well as steps to implement to attempt to prevent similar future incidents. The Materiality Committee is responsible for assessing whether a threat or an incident has materially affected or is likely to materially affect the Company s business strategy, results of operations or financial condition. The Materiality Committee considers both quantitative and qualitative factors. Once it is determined that a matter has had a material impact or it is reasonably likely to have a material impact on the Company, the Materiality Committee is required to immediately report the incident to the Disclosure Committee and Audit and Risk Committee (the “Audit Committee”) of the Board of Directors (the Board ). The Company emphasizes continuous risk evaluation and mitigation to improve the Cybersecurity Risk Management Program s resilience and instill a culture of vigilance across the Company’s business. To promote employee awareness of best practices, the Company socializes policies and tips through its intranet site, sends regular phishing simulations, emails newsletters and hosts cybersecurity learning exercises, all in addition to standard company-wide cybersecurity awareness trainings. The Company also participates in various cybersecurity network memberships, including: H-ISAC: a global cybersecurity best practice-sharing and threat intelligence network for health care stakeholders and Domestic Security Alliance Council: a partnership between U.S. government agencies and private sector organizations that exchanges security and intelligence information. The Company has also implemented a risk management process designed to mitigate cybersecurity risks that arise from utilizing third-party service providers. The Company s control over and ability to monitor the security posture of third parties with whom it does business remains limited and there can be no assurance that the Company can prevent, mitigate or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including the Company s right to indemnification, if any at all, may be limited or insufficient to prevent a negative impact on its business from any such compromise or failure. Impact of cybersecurity risks on business strategy, results of operations or financial condition Despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Risk Factors Risks Relating to Information Technology We have become increasingly dependent on information technology systems and infrastructure and any breakdown, interruption, breach or other compromise of our information technology systems or those of our third party service providers could subject us to liability or interrupt the operation of our business, which could have a material adverse effect on our business, financial condition, cash flows and results of operations and could cause the market value of our common shares to decline under Item 1A of this Annual Report Form 10-K. Governance Because cybersecurity and data privacy can affect all facets of the Company’s business, the Company employs governance structures that facilitate cross-functional, proactive risk management. The Board is responsible for oversight of the Company s risks from cybersecurity threats and incidents and the Audit Committee maintains primary responsibility related to monitoring this oversight. As noted above, the Company has in place the following teams who are responsible for maintaining various phases of the Cybersecurity Risk Management Program: Cybersecurity and Risk Management Team which is led by the VP, IT Security and Risk Management, who reports directly to the Chief Information Officer ( CIO ). The Cybersecurity and Risk Management Team is overseen by: 53 (i) the Executive Committee, which consists of, among others, the CEO, Chief Financial Officer, Chief Legal Officer and Chief Compliance and Privacy Officer, and (ii) the Audit Committee. The Cybersecurity and Risk Management Team is responsible for maintaining and carrying out the Cybersecurity Risk Management Program. Materiality Committee, which is led by the CIO, Controller and Chief Accounting Officer, and Deputy General Counsel. The Cybersecurity and Risk Management Team informs the Materiality Committee of Severity 1 incidents and the Materiality Committee is then responsible for assessing whether a threat or an incident has materially affected or is likely to materially affect the Company s business strategy, results of operations or financial condition. Once it is determined that a matter has had a material impact or it is reasonably likely to have a material impact on the Company, the Materiality Committee is required to immediately report the incident to the Disclosure Committee and Audit Committee. Audit Committee, which is comprised of independent directors, oversees the Cybersecurity and Risk Management Team and the team s implementation of its Cybersecurity Risk Management Program. The Audit Committee receives quarterly updates regarding cybersecurity risks and/or policy. In addition, the Materiality Committee updates the Audit Committee, as necessary, regarding any material cybersecurity incidents. Disclosure Committee, which is led by the Chief Legal Officer and Chief Financial Officer. The Disclosure Committee is informed of potentially material threats and incidents by the Cybersecurity and Risk Management Team and Materiality Committee and the Disclosure Committee is responsible for the preparation, review and filing of any disclosure required by applicable law. The Company s VP, IT Security and Risk Management and CIO who collectively lead our Cybersecurity and Risk Management Team have relevant degrees and certifications in Information Technology and Security and have extensive experience in their current and prior roles related to IT Security. Along with leading the Company s cybersecurity learning and awareness trainings, they also regularly participate in various third-party industry conferences and trainings. 54

Company Information