Elanco Animal Health Inc 10-K Cybersecurity GRC - 2024-02-26

Page last updated on May 6, 2024

Elanco Animal Health Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 09:05:25 EST.

Filings

10-K filed on 2024-02-26

Elanco Animal Health Inc filed an 10-K at 2024-02-26 09:05:25 EST
Accession Number: 0001739104-24-000009

Item 1C. Cybersecurity.

Our business relies on information technology (IT) systems to process, transmit and store electronic information, including customer, employee and company data. The secure processing, maintenance and transmission of this information, including information housed both within an internal IT system or with a third-party and cloud-based environments, is critical to our operations. Each of the systems utilized in our business operations is subject to continually evolving cybersecurity risks and threats that present a risk to the continuity of our business operations, potential financial losses and damage to our reputation, including a loss of public trust. For more information on potential risks related to cybersecurity threats and incidents, please see “Item 1A. Risk Factors - Breaches of our information technology systems or improper disclosure of confidential company or personal data, or a failure to comply with privacy laws, regulations and our contractual obligations concerning data privacy or the security of certain information, could have a material adverse effect on our reputation and operations.”

Risk Management, Strategy and Governance

Given the importance of the integrity and security of the information and data utilized in our day-to-day operations, our processes for assessing, identifying and managing material risks from cybersecurity threats is incorporated into our overall enterprise risk management framework. We evaluate cybersecurity risks on an ongoing basis, and both our executive management and Board of Directors have an overall responsibility for assessing and managing risks from cybersecurity threats. We have established an information security team which is structured into three areas, each with its own teams and leaders who report directly to our Chief Information Security Officer (CISO): 1) Governance, Risk and Compliance; 2) Architecture; and 3) Operations (Detect and Respond). Our information security team is responsible for the design and execution of our cybersecurity risk management and helps executive management and our Board of Directors stay informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity risks and incidents through various means, including but not limited to, briefings with internal security team members, threat intelligence obtained from public and private sources and alerts and reports produced by security tools deployed within our IT environment. Our current CISO has over 16 years of experience in various roles involving information technology governance and compliance, including cybersecurity, engineering and enterprise architecture, while our Chief Information Officer (CIO) has over 25 years of IT and cybersecurity experience. Our information security team includes professionals with relevant industry, educational and cybersecurity experience.

Governance, Risk and Compliance: Our approach to cybersecurity governance, risk and compliance is based on overarching guidelines, standards and best practices developed by the U.S. National Institute of Standards and Technology (NIST), a department of the U.S. Department of Commerce. Our information security governance oversees the process of coordinating the cybersecurity team(s) responsible for the mitigating of business risks posed by IT-related resources. Our governance framework of authority and accountability ensures prioritized initiatives have the required structure, sponsorship and funding to appropriately address the foreseen risks. Risk management includes an assessment of the risks posed to us by an IT solution, including cloud hosted and/or other third-party environments and systems. Our processes also address cybersecurity risks associated with our use of third-party service providers, including those in our supply chain or who have access to our client or employee data on our systems. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.

Our risk management process assesses both the probable frequency and probable magnitude of future loss based on a variety of potential risks and cyber events. The information security team also periodically engages third-party vendors to assist with our cyber threat detection and response actions, as well as to ensure our processes related to information security and defense against cybersecurity threats are appropriately designed and implemented to best prevent, detect and/or respond to a cyber threat or event.

Architecture: Our information security architecture is focused on designing IT-related solutions that are foundationally secure. Our information security architecture assumes that internal and external threats always exist, and that all networks are inherently hostile. Accordingly, all connections accessing business assets must first be authenticated and authorized. Where viable, IT services are individually secured and monitored at the source, following the principle of least privilege.

Operations (Detect and Respond): In the event of a cybersecurity incident, the Elanco Information Security Incident Response Plan (ISIRP) defines the roles, responsibilities, procedures and reporting processes required to respond effectively to cybersecurity incidents. Responses to information security incidents are led by two teams: 1) the Security Operations Center (SOC) team, which conducts the initial technical triage and analysis, and 2) a cross-functional team of leaders from the IT, Legal, Human Resources and Finance functions (the Cyber Lead team), which is engaged by the CISO on an as needed basis, based on incident severity. The Cyber Lead team is tasked with determining the severity of a cybersecurity incident and bringing together the proper resources to lead the corporate-wide response to such incidents, including engaging the Company’s Disclosure Committee, in the event an incident may rise to a level deemed material to us. In the event an incident is escalated by the Cyber Lead team, the Disclosure Committee, led by our Chief Financial Officer and General Counsel, would evaluate all estimable quantitative and qualitative factors, to determine if a Current Report on Form 8-K would be required under Item 1.05, “Material Cybersecurity Incidents”.

Management’s Responsibilities

Management is responsible for executing the Cybersecurity Risk Management, Strategy and Governance policies outlined above. This is done, in part, by both establishing systems, processes and controls to minimize the risk of a high severity cybersecurity incident as much as possible, as well as ensuring there is a formal process designed to identify, investigate and appropriately respond to potential cybersecurity incidents. As noted, we have established our ISIRP as a response tool in the event of a cybersecurity incident. The ISIRP documents the actionable steps the SOC team, information security leadership and cross-functional stakeholders and partners take when a cybersecurity incident is identified. The ISIRP covers the preparation, detection and analysis, containment, eradication, recovery and post-incident activities required to effectively respond to an incident.

Once a cybersecurity incident has been identified, the SOC team performs an initial investigation to determine if the incident is deemed high or low severity, based upon the business and operational impacts. Any incident deemed high severity would result in notification by the CISO to the Cyber Lead team to determine the appropriate actions to be taken. This determination would be made by the Cyber Lead team based on both qualitative and quantitative factors regarding the extent and magnitude of the incident. If the incident is then escalated to the Disclosure Committee and determined to be material, a disclosure via a Current Report on Form 8-K would be made within four business days of the incident being identified as such. Through December 31, 2023, there have been no cybersecurity incidents deemed to have had a material impact on our results of operations or financial condition. Our Board of Directors would also be notified of any high severity incidents that are determined to be material, concurrently with the notification to the Disclosure Committee, and would be kept apprised of actions taken in response to such incidents.

Our information security team is also responsible for cybersecurity awareness and education across the company, including our Board of Directors. Awareness empowers users, including our employees and contractors, to be mindful of cybersecurity in day-to-day situations. Our cybersecurity education practices help ensure specific users have the appropriate security skills and competencies to help prevent and/or detect and respond to a cyber threat. Formal training is delivered and measured throughout our organization on a routine, ongoing basis, and dedicated training is delivered to all new employees and contractors through our onboarding process. Targeted and company-wide communications, as well as simulated phishing campaigns and tabletop exercises are also routinely executed to promote ongoing awareness, preparation and education about cyber threats.

Board of Directors’ Responsibilities

Our Board of Directors actively oversees our cybersecurity management processes, including appropriate risk mitigation strategies, systems, processes and controls. Our CISO meets with the Audit Committee of the Board of Directors and separately with the full Board of Directors at least twice annually to discuss the status of policies and procedures related to information security. Discussions with the Audit Committee and the full Board of Directors focus on any notable incidents and incident responses, updates on known or perceived cyber threats and the information security team’s recent actions taken in response to such incidents and threats. In addition, our Board of Directors and the Audit Committee also receive updates from the CISO and/or our CIO on an ad-hoc or as-requested basis. Any incidents or changes to our process of identifying and responding to potential cybersecurity incidents would be included within these materials. According to our ISIRP, our Board of Directors would also be notified of any high severity incidents deemed material, simultaneously with the notification to the Disclosure Committee, and would be kept apprised of actions taken in response to such incidents.

Company Information