NovoCure Ltd 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

NovoCure Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 07:05:37 EST.

Filings

10-K filed on 2024-02-22

NovoCure Ltd filed an 10-K at 2024-02-22 07:05:37 EST
Accession Number: 0001645113-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a medical device manufacturer that directly interacts with both healthcare professionals and patients, we recognize data privacy and cybersecurity as fundamental imperatives. Like all companies of our size, computer system complexity, and geographic reach, our information systems are subject to constant probing from outside actors and potentially vulnerable to internal and external malicious intrusion, cyberattacks and computer viruses. Because the techniques used to obtain unauthorized access or sabotage systems change frequently and, generally, are not recognized until launched against a target, we maintain a multifaceted approach to assessing, identifying and managing our material risks related to cybersecurity threats. This approach is integrated into our overall risk management processes. We use both technology-based solutions (e.g., anti-virus software, automated intrusion detection systems, spam filters, encrypted virtual private networks) and human-based solutions (e.g., data management policies, outside penetration testing, employee training and testing, independent audits) to defend against cybersecurity threats. We reinforce our commitment to a strong cybersecurity culture through security training and awareness programs. Education on topics such as data security, privacy practices, email and mobile security as well as tailored topics such as secure programming for developers make our employees aware of the need to make sound cybersecurity decisions. Our goal is to promote a culture of thorough security and impress upon our employees that everyone has a part to play in securing corporate data and information systems. We have obtained both ISO 13485 (quality management systems for medical devices) and ISO 27001 (information security management systems) certifications, which require independent annual auditing to obtain and maintain. In addition to our commitment to secure our employees , customers and patients data, as well as intellectual property, we take steps to ensure data integrity and protection standards are maintained throughout our supply chain. We understand that supply chains are vulnerable to increasing risks from cybersecurity threats. Cybersecurity threats to our supply chain are accounted for by performing risk assessments by our dedicated cybersecurity staff. These analyses take into account the type and amount of data being accessed and the supplier s ability to employ and maintain cybersecurity health and is also verified through third-party assessments and certifications. Supply chain vendors are monitored to ensure that risks remain mitigated and mechanisms are in place to allow for tracking and reporting of any material supplier cybersecurity events. Data security requirements are also included in all key vendor contracts. All vendors that handle personal information are required to provide appropriate protection in accordance with our policies and applicable regulations and laws. Our Board of Directors has primary oversight over our risk management activities and has specifically delegated cybersecurity risk management oversight to its Audit Committee, which is comprised entirely of independent directors. At least on a quarterly basis, our information security management provides updates on our cybersecurity activities and to the extent any cybersecurity incidents may have occurred. On at least an annual basis, our information security management team engages in a thorough discussion and review of our cybersecurity practices and procedures that are designed to monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our information security management team is led jointly by our Vice President, IT Infrastructure and Cybersecurity and our Director of Privacy. We have dedicated privacy and cybersecurity officers and committees with established processes to assess, identify, manage and investigate all potential privacy and cybersecurity risks and incidents. As a medical device manufacturer with a global presence, we are compliant with privacy laws and regulations in all jurisdictions where we conduct business. In the U.S., the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH” and collectively “HIPAA”) provides data privacy and security provisions for safeguarding medical information. Additionally, states in the U.S. are enacting local privacy laws (e.g., California). In the EU, the General Data Protection Regulation (“GDPR”) harmonizes data privacy laws and rules on the processing of personal data, including patient and employee data, across the EU. The GDPR has a number of strict data protection and security requirements for companies processing data of EU residents, including when such data is transferred outside of the EU. Additionally, we need to comply with analogous privacy laws in other jurisdictions in which we operate, such as the Israeli Privacy Protection Law, the Asia Pacific Economic Cooperation Privacy Framework, and Japan s Act on the Protection of Personal Information. Our policies and procedures are all designed to ensure compliance with these obligations.

Company Information