HENRY SCHEIN INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

HENRY SCHEIN INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 14:14:38 EST.

Filings

10-K filed on 2024-02-28

HENRY SCHEIN INC filed an 10-K at 2024-02-28 14:14:38 EST
Accession Number: 0001000228-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We rely on information systems in our business to obtain, rapidly process, analyze, manage and store customer, product, supplier and employee data to, among other things: maintain and manage multiple information systems worldwide to facilitate the purchase and distribution of thousands of inventory items from numerous distribution centers; receive, process and ship orders on a timely basis; manage the accurate billing and collections for thousands of customers; process payments to suppliers and vendors; provide products and services that maintain certain of our customers electronic medical or dental records (including protected health information of their patients) and maintain and manage global human resources, compensation and payroll systems. For these purposes, we define information systems in a manner consistent with the definition contained in the new rules recently adopted by the SEC to mean electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk mitigation strategy intended to protect our information systems. Our cybersecurity risk mitigation strategy is designed so that the Company s cybersecurity program is aligned with generally accepted cybersecurity standards and frameworks, in particular the NIST Cybersecurity Framework, or NIST CSF, and our Company is externally audited, or certified, with ISO27001 partial scope. We maintain an Office of Cybersecurity ( OCS ), led by our Chief Information Security Officer ( CISO ), which oversees the operations of our cyber risk mitigation strategy. The OCS is a cross-functional, enterprise-wide management team, which continuously evaluates our global cybersecurity program s effectiveness and is focused on maintaining and protecting our information systems. In overseeing the operations of our cyber risk mitigation Table of Contents 40 strategy, the OCS partners with our Global Technology Solutions team, which is led by our Chief Technology Officer ( CTO ) and is comprised of over one hundred professionals that support our information systems and operations. Our cyber risk mitigation strategy includes monitoring for and addressing risks that materialize within the Company s information systems, as well as at our third-party vendors, suppliers and other third-party business partners. Our CISO reports to our CTO. Our CTO, who also serves as Senior Vice President, has more than 30 years of experience leading large-scale global IT organizations and received a Bachelor of Business Administration in Business Computer Information Systems and a Master of Business Administration from Hofstra University. See also Item 1. Business, Other Executive Management . Our Vice President, Global CISO, who also serves as Vice President and Head of the Office of Cyber Security, is a National Security Agency Certified Information Systems Securities Engineer, has nearly 30 years of experience leading global cybersecurity programs, and received a BS, Electrical Engineering and Computer Science from Lafayette College, and a Master of Science, Business, Information Technology Management from Johns Hopkins University. The cybersecurity risk mitigation strategy is also overseen by senior managers who are members of our Executive Steering Committee, comprised of the Company s most senior technology, legal and internal auditing officers. Our CEO is regularly briefed on issues, incidents, and developments, and our Board oversees our risk mitigation strategy principally through its Audit Committee and Regulatory, Compliance and Cybersecurity Committee, as described in more detail below. Our cybersecurity risk management program includes, among other elements: risk assessments designed to help identify material cybersecurity risks to our information systems; a security team principally responsible for managing our (i) cybersecurity risk assessment processes, and (ii) defining cybersecurity control standards; the use of expert external service providers to assess, test or otherwise assist with aspects of our cybersecurity controls, and to respond to specific cybersecurity threats; the review and assessment of past cybersecurity incidents with a view to learning from those events to further strengthen our cyber risk mitigation strategy; a written cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and a Global Information Security Policy, together with more detailed information security policies, procedures, standards, and guidelines. In addition, all employees with systems access are required to participate in mandatory annual cybersecurity and anti-phishing courses, along with compliance programs. Our employees who perform financial gatekeeper roles also receive additional mandatory annual data security training specific to spoofing, phishing and similar data security threats. Per written Company policies, employees are also required to safeguard confidential information. Our cybersecurity risk strategy is integrated into our overall enterprise risk management program, and our cybersecurity team is supported by and connected with the enterprise risk management team. Prior Cybersecurity Incidents In addition to immaterial and unrelated prior incidents at certain of our subsidiaries, in October 2023 Henry Schein experienced a cybersecurity incident that primarily affected the operations of our North American and European dental and medical distribution businesses. Henry Schein One, our practice management software, revenue cycle management and patient relationship management solutions business, was not affected, and our manufacturing businesses were mostly unaffected. Once we became aware of the issue, we took steps to assess, contain and remediate this incident. We restored affected systems and applications, our distribution operations resumed and we reactivated our ecommerce platform. We also notified law enforcement and our employees, customers, suppliers and investors, informing them of both the incident and management s efforts to mitigate its impact on our daily operations and data maintained on the Company s systems. Subsequently, on or about November 8, 2023, we determined that the threat actor obtained personal and sensitive information maintained on our systems belonging to certain third parties and since that date we have notified affected and potentially affected parties as appropriate. Table of Contents 41 The scope of personal and sensitive data impacted is still under investigation. On November 22, 2023, we experienced a related disruption to our ecommerce platform and related applications, which has since been remediated. As described in Management s Discussion & Analysis 2023 Compared to 2022, the incident adversely impacted our financial results for the fourth quarter and full year 2023. We also expect some short-term residual impact on our financial results in 2024. It is part of the mission of our cybersecurity risk mitigation strategy to constantly evolve our cybersecurity defenses to adapt to evolving risks, and to learn from prior incidents, and we have evaluated and continue to evaluate the incident with the assistance of third-party expert consultants. Members of the Audit Committee and Regulatory, Compliance and Cybersecurity Committee of our Board of Directors are conducting a review of the October 2023 cybersecurity incident, including the measures undertaken in response to the incident. Cybersecurity Governance Our Board has a Regulatory, Compliance and Cybersecurity Committee that focuses on cybersecurity oversight, together with other board committees, principally the Audit Committee. The purpose of the Regulatory, Compliance and Cybersecurity Committee is to assist the Board by providing guidance to, and oversight of, the Company s senior management responsible for assessing and managing Company-wide regulatory, corporate compliance and cybersecurity risk management programs. The primary responsibilities of the Regulatory, Compliance and Cybersecurity Committee are to (i) discuss cybersecurity strategic decisions, issues, challenges and opportunities relating thereto, (ii) provide expertise to guide assessment and monitoring of Company-wide regulatory, corporate compliance and cybersecurity risk management budgeting, spending and capital investment, (iii) monitor progress and status of the Company s regulatory, corporate compliance and cybersecurity risk management programs, (iv) review and evaluate major regulatory, corporate compliance and cybersecurity risk management initiatives to identify emerging and future opportunities for synergy or to leverage regulatory, corporate compliance and cybersecurity risk management investments more effectively and cost efficiently, (v) report to the Audit Committee on regulatory, corporate compliance and cybersecurity risk management matters reviewed by the Regulatory, Compliance and Cybersecurity Committee that may impact the Company s financial reporting and (vi) be generally available to, and communicate with, the Company s senior management, and to inform the Board in the areas described above. Our CISO and CTO, along with other key executives who are part of our Executive Steering Committee, review strategy, policy, program effectiveness, standards, enforcement and cybersecurity issue management with the Board s Regulatory, Compliance and Cybersecurity Committee on at least a quarterly basis and with the Audit Committee on at least a bi-annual basis. Our CTO meets with Board members outside of the formal meetings on a regular basis as well as in connection with specific cybersecurity issues or threats.

Company Information