Bausch Health Companies Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Bausch Health Companies Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 17:04:26 EST.

Filings

10-K filed on 2024-02-22

Bausch Health Companies Inc. filed an 10-K at 2024-02-22 17:04:26 EST
Accession Number: 0000885590-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established a set of policies and procedures to assess, identify, and manage material risks from cybersecurity threats, codified in the Bausch Health Cybersecurity Program (the Program ). The purpose of the Program is to establish a comprehensive framework intended to identify, manage, and where possible mitigate risks; prevent or identify and manage security incidents; protect our information assets, systems, and networks from potential threats; and enable a prompt response and recovery from cyber-attacks. The Program is based on the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). The NIST CSF offers a framework for cybersecurity management, including asset identification, systems protection, threat detection, and incident response and recovery. In particular, our cybersecurity strategy, as set forth in the Program, uses NIST Special Publication 800-53, which covers the steps in the CSF that address security safeguards across five dimensions of information security (Identification, Protection, Detection, Response, and Recovery). The Program guides the execution of our cybersecurity responsibilities for our digital infrastructure, including network security, endpoint security, data protection, incident response, awareness and training, compliance, and risk management. The policies and procedures established pursuant to the Program include: 56 Risk Identification Seeking to identify and manage cybersecurity risk to systems, assets, data, people, and capabilities using measures such as asset management and assessment of suppliers and third-party partners, including using audits and testing. Protection I mplementation of safeguards designed to ensure delivery of critical infrastructure services, including identity management and access control, security training, and use of protective technology. Detection Detection of the occurrence of a nomalies and cybersecurity events through monitoring and communication to appropriate personnel. Response Establishing appropriate responses when cybersecurity events are detected, including through response planning and establishment of communications channels. Recovery Seeking to ensure resilience and restore any capabilities or services that were impaired due to a cybersecurity incident, through recovery planning and other measures. Pursuant to the Program, the Bausch Health Information Technology Security Department develops specific cybersecurity policies, procedures and guidelines. Key cybersecurity risk drivers, mitigation strategies, and key updates are incorporated as part of our ongoing Enterprise Risk Management processes. Our executive management team is responsible and accountable for the Program, cybersecurity risks generally, and ensuring that appropriate resources are allocated to addressing such risks, with Board-level oversight from the Audit and Risk Committee of the Board of Directors. We review and seek to improve the Program through assessments from external, independent third parties, who review documentation, conduct interviews with key stakeholders, assess security roadmap progression and maturity against industry benchmarks, report on our internal incident response preparedness and help identify areas for continued focus. We also have insurance coverage for potential losses arising from a cybersecurity incident and to provide professional services that mitigate potential business impacts during cybersecurity incidents. Impact of cybersecurity risks on business strategy, results of operations or financial condition As of the date of this Form 10-K, there have been no cybersecurity incidents that have materially affected, or are likely to materially affect the Company s business strategy, results of operations or financial condition. Please refer to Risk Factors Risks Relating to Information Technology We have become increasingly dependent on information technology systems and infrastructure and any breakdown, interruption, breach or other compromise of our or our third-party service providers information technology systems could compromise sensitive information related to our business or prevent us from accessing critical information and subject us to liability or interrupt the operation of our business, which could have a material adverse effect on our business, financial condition, cash flows and results of operations and could cause the market value of our common shares and/or debt securities to decline. under Item 1A. of this Form 10-K for additional description of cybersecurity risks and potential related impacts on our Company. Governance The Audit and Risk Committee of the Board, comprised fully of independent directors, is responsible for assisting the Board in oversight of risk, including cybersecurity risks. As part of that responsibility, the Audit and Risk Committee regularly reviews our enterprise risk assessment results, including the results of any cybersecurity risk assessments or audits, reports of investigations into any significant cybersecurity risks, and assessments of our insurance coverage for significant operational risks, including cybersecurity. In addition, we have established a Global Cybersecurity Disclosure Committee, a senior-level, cross-functional governance committee comprised of representatives from our Information Technology, Compliance, Finance, and Legal departments, which is engaged during certain cybersecurity incidents to determine further response, escalation and reporting needs. The Global Cybersecurity Disclosure Committee meets quarterly to review information technology risk metrics and as needed in the event of a potentially material security incident, including at the discretion of Vice President of Information Security. The Global Cybersecurity Disclosure Committee is responsible for oversight of the implementation of appropriate remediation for security incidents where required, as well as determining whether to discuss any information security incidents with the Audit and Risk Committee of the Board of Directors and if external reporting is required under relevant laws, regulations or SEC rules. Members of our Global Cybersecurity Disclosure Committee have work experience managing cybersecurity and information security risks, an understanding of the cybersecurity threat landscape and/or knowledge of emerging cybersecurity and data privacy risks. 57

Company Information