QUEST DIAGNOSTICS INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

QUEST DIAGNOSTICS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:18:00 EST.

Filings

10-K filed on 2024-02-22

QUEST DIAGNOSTICS INC filed an 10-K at 2024-02-22 16:18:00 EST
Accession Number: 0001022079-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The strength and resilience of our cybersecurity and data privacy programs are critical in maintaining the trust of our patients, customers, employees, shareholders, and other stakeholders. Securing our business information, customer, patient and employee data and IT systems is an important part of our overall risk management framework. We rely on IT systems, some of which are dependent on services provided by third parties, to provide data and other services, including diagnostic information services for patients, clinicians and healthcare organizations, clinical testing, test ordering and reporting, billing, customer service, logistics, commercial and operational data, human resources management, legal, finance and tax compliance, and other information and processes necessary to operate and manage our business. We maintain comprehensive cybersecurity and data privacy programs that are designed to be aligned to best practice frameworks and applicable laws and regulations, as well as our contractual obligations. These enterprise-wide programs are designed to secure our facilities, information systems and safeguard data throughout its lifecycle, including data provided to third parties performing services on our behalf. Our cybersecurity program incorporates standards, processes, and activities over a number of domains, including governance, access controls, facility and data protection, IT systems and data transmission security, threat intelligence and incident response, third-party risk management, disaster recovery and vulnerability management. Our cybersecurity risk management program monitors our systems and networks for threats, breaches, intrusions and other vulnerabilities; assesses the security of our company-wide software, applications and systems; conducts security audits and threat assessments; responds to cybersecurity incidents; and facilitates training for our employees. Our program includes procedures to identify cybersecurity risks and threats of our suppliers and third-party outsourcing providers with whom we interface, or who store, process, host or transmit confidential patient and employee data or other confidential information. Our Strategic Threat and Intelligence Center manages our threat landscape and uses a variety of security technology and threat intelligence tools designed to detect, prevent, block, analyze, and respond to cybersecurity threats. We collaborate with government agencies regarding potential cybersecurity threats and work with consultants and other third-party advisors to conduct security assessments and independent audits of the security and resilience of our systems and networks. At least annually, we review and test our program to simulate emergent threats and scenarios that could arise from potential cybersecurity attacks and data breaches. Our cybersecurity program is based on multiple security frameworks, including the National Institute of Standards and Technology s NIST 800 Special Publication Information Security standard, MITRE 40 Table of Contents ATT&CK Framework, the Payment Card Industry Data Security Standard, the System and Organization Controls for Service Organizations 2 (SOC 2), and ISO 9001:2015 and ISO 15189. We have integrated cybersecurity risk management into our overall risk management infrastructure through our enterprise risk management program. The enterprise risk management program, which is driven by our executive leadership, entails a formal process that identifies, assesses, mitigates and manages the risks from both internal and external conditions that could significantly impact the Company and influence our business strategy and performance. Although no cybersecurity incident during the year ended December 31, 2023 resulted in an interruption of our operations, known losses of critical data or otherwise had a material impact on our strategy, financial condition or results of operations, the scope of any future incident cannot be predicted. See Item 1A. Risk Factors for more information. Governance The Company s Chief Information Security Officer (CISO), in coordination with the Company s Chief Litigation Officer, Executive Director, Privacy Officer, Corporate Controller/Chief Accounting Officer and other internal stakeholders, is responsible for leading the team responsible for assessing, identifying and managing cybersecurity and data privacy risks, including implementation of our cybersecurity risk management program. The CISO has extensive experience working in the IT and services industry and is a subject matter expert in varied topics including cybersecurity, data integrity, IT risk, enterprise architecture, third-party risk, threat intelligence, incident response, and regulatory compliance. Management committees consisting of senior officers of the Company regularly receive briefings on cybersecurity matters, who in turn regularly report to the Board of Directors and its committees on such matters. The Board of Directors and its committees play an active role in overseeing our key enterprise level risks. Our Board, which annually reviews our enterprise risk management program, has delegated primary responsibility for overseeing the enterprise risk management program to the Audit and Finance Committee. The Board has delegated primary oversight of cybersecurity, a key enterprise risk, to the Cybersecurity Committee. The Board s Quality and Compliance Committee oversees and receives regular updates on data privacy, another key enterprise risk. The Audit and Finance Committee is responsible for reviewing our policies with respect to risk assessment and risk management, as well as our insurance programs, including regarding cybersecurity. Our internal audit team reports to the Audit and Finance Committee on summaries of findings from completed internal audits of, among other matters, our IT security systems and processes, including network security and data protection. The Audit and Finance Committee regularly reports to the Board on its activities. The Cybersecurity Committee is responsible for the general oversight of our cybersecurity policies, plans, program and practices and risks related to cybersecurity and data security. The Cybersecurity Committee reviews the adequacy and effectiveness of our cybersecurity program and regularly receives reports from management on cybersecurity matters. It also reviews our management of risks and compliance with legal and regulatory requirements and industry standards related to our IT security systems and processes, including network security and data protection. The Cybersecurity Committee regularly reports on its activities to the Board to promote effective coordination and to ensure the entire Board remains apprised of the effectiveness of our cybersecurity risk management and our cybersecurity risk landscape, and also assesses how management is managing these risks. 41 Table of Contents

Company Information