PERRIGO Co plc 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

PERRIGO Co plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 14:20:57 EST.

Filings

10-K filed on 2024-02-27

PERRIGO Co plc filed an 10-K at 2024-02-27 14:20:57 EST
Accession Number: 0001585364-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY Cybersecurity is an important part of our risk management program and an area of increasing focus for our Board and management. While management is responsible for day-to-day risk management, the Board, is responsible for the Company s overall risk oversight function, including cybersecurity risks, and includes oversight by several committees. The Audit Committee supports the Board in overseeing the overall framework for the risk assessment and enterprise risk management ( ERM ) process for the Company. The Nominating & Governance Committee ( NGC ) supports the Board by overseeing cybersecurity risks, policies and objectives. As part of its duties, the NGC regularly provides reports to the full Board of Directors (which includes Audit Committee members) related to matters within its responsibility. As a result of this process, the Audit Committee receives updates on, among other things, cybersecurity, which can be used to assist the Board and Audit Committee in its oversight of the Company’s ERM processes. We use a risk-based approach to identify, assess, protect, detect, respond to and recover from cybersecurity threats. Recognizing that no single technology, process or business control can effectively prevent or mitigate all risks, we employ multiple technologies, processes and controls, all working independently but as part of a cohesive strategy to minimize risk, including the following: Management invests in organization capability and technology to manage and identify cybersecurity and information security risks. Our Company has information security employees across the globe, enabling us to monitor and promptly respond to threats and incidents, identify and maintain oversight of cybersecurity risks associated with third parties, evaluate and deploy cybersecurity technologies, and ensure associates are educated and prepared to address shared cybersecurity risks. We emphasize security and resiliency through business assurance capabilities and incident response plans designed to identify, evaluate, and remediate incidents when they occur. We regularly review and update our plans, policies and technologies and conduct regular training exercises and crisis management preparedness activities to test their effectiveness. We have implemented an information and cybersecurity awareness program designed to educate and test employee maturity at least annually, and regularly throughout the year employees receive training regarding phishing and other threat actor schemes, the inherent risks involved in human interaction with information and operational technology, and new and emerging technologies. Our global cybersecurity program increasingly leverages intelligence-sharing capabilities about emerging threats within the Consumer Packaged Goods sector, across other industries, with specialized vendors, industry groups, and through public-private partnerships with government intelligence agencies. Such intelligence allows us to better detect and work to prevent emerging cybersecurity threats before they materialize. The Company s cybersecurity policies, standards and processes are designed and implemented in light of the requirements of the National Institute of Standards and Technology (NIST) frameworks for cybersecurity and privacy. Our strategy to identify, assess, protect, detect, respond to and recover from cybersecurity threats is regularly tested by external parties through auditing, penetration testing, and other exercises designed to assess and test our cybersecurity health, resiliency and the effectiveness of our program. We have experienced and may continue to experience cybersecurity incidents; however, w e do not believe any cybersecurity incidents incurred to date have materially affected our Company, including our business strategy, results of operations, or financial condition. While we continue to employ resources to monitor our systems and protect our infrastructure, these measures may prove insufficient, and that could subject us to significant risks. For 32 further discussion of how these and other potential cybersecurity risks may impact our business, refer to the risk factor under heading A cybersecurity breach, disruption or misuse of our information systems, or our external business partners information systems could have a material adverse effect on our business in Item 1A. Risk Factors Operational Risks . GOVERNANCE The NGC, comprised solely of independent directors, is charged with oversight of risks related to global cybersecurity and operational resiliency. The NGC routinely engages with relevant management on a range of cybersecurity-related topics, including the threat of environment and vulnerability assessments, policies and practices, technology trends and regulatory developments from the Chief Financial Officer ( CFO ) and Senior Vice President, Information Technology and Services ( IT&S ) Strategy and Business Partnering. The NGC meets separately in advance of each regular Board meeting and when needed in the event of a specific cybersecurity threat, and its Chair regularly reports out to the Board on key matters considered by the NGC. The Board is periodically briefed on related cybersecurity matters from other executives from Legal, Privacy, and IT&S, as well as external experts related to breach management, external attestation of the company s cybersecurity practices and processes, and evolving cybersecurity matters that may inform the company s cybersecurity strategy and approach. The Board has received and will continue to receive cybersecurity training. Our overall information security efforts are led by the CFO and Senior Information Technology Executives. These leaders have substantial experience in cybersecurity including knowledge, skills, certifications, and background in cybersecurity. We have a formalized breach management protocol that utilizes a cross-functional team to address global cybersecurity efforts that includes partnership with Legal, Risk, our CFO, IT&S Strategy and Business Partnering and Enterprise HR which lead matters when they occur. This collaborative approach, working with a wide range of key stakeholders to manage risk, allows us to effectively share and respond to threat intelligence. In the event of a specific cybersecurity threat or incident, management is notified in accordance with established escalation procedures. If appropriate, management then notifies the NGC, which may meet to describe the cybersecurity threat or incident before reporting out to the Board regarding the matter. We use forensic and other key third party service providers to assist the Company with its response in the event of a cybersecurity incident.

Company Information