Amneal Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on July 16, 2024

Amneal Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:04:14 EDT.


10-K filed on 2024-03-14

Amneal Pharmaceuticals, Inc. filed a 10-K at 2024-03-14 17:04:14 EDT
Accession Number: 0001723128-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management & Strategy Our cybersecurity program includes policies and procedures designed to protect our systems and operations as well as sensitive information and data from anticipated cybersecurity threats. This program is a key component of our approach to enterprise risk management. Key Processes Our cybersecurity defenses include multiple layers of processes and technologies that can help prevent, detect and respond to cybersecurity threats. We administer multiple cybersecurity - related training and awareness events annually. These include baseline cybersecurity training for all new employees and an annual, mandatory, interactive cybersecurity training for all who are assigned our user accounts, and frequent cybersecurity topic awareness broadcast emails and targeted training to specific user groups. Additionally, we use a variety of detective and preventive technologies, including: 44 - email threat detection; - endpoint detection and response; - a 24 hours a day, 7 days a week security operations center that monitors system log telemetry and threat intelligence via a security incident and event management platform; - vulnerability scanning on both internal and externally - facing infrastructure; - next-generation firewalls with geographic access restriction for sensitive externally - facing systems; - multi factor authentication for remote access and certain internal systems; - domain name service threat detection; and, - internal incident response procedures based on NIST Special Publication 800-61. We also conduct periodic phishing attack simulations to evaluate users’ vulnerability to emerging email threats. We conduct remediation training where failures occur. On a quarterly basis, our cybersecurity team also conducts scenario - based tabletop exercises with critical business teams to simulate disasters and cyberattacks. The tabletop exercises test and fine-tune our business continuity plans and incident response procedures. Program Assessments Our cybersecurity processes are evaluated as part of an ongoing assessment of our internal control environment, which are informed by the five pillars of the NIST Cybersecurity Framework (“NIST CSF”). We employ a third-party service provider to conduct periodic penetration tests and scan different parts of our IT environment for potential vulnerabilities. We prioritize critical or high vulnerabilities for swift remediation. Additionally, we employ a third-party service provider for continuous cybersecurity risk and vulnerability monitoring. We make continuous adjustments to system and network configurations to mitigate or remediate identified vulnerabilities. Incident Response Cybersecurity incident response procedures are informed by NIST Special Publication 800-61, and continuously improved following quarterly exercises and live incidents. Incident response emphasizes rapid containment following detection of a range of threats including: - repeated login failures; - suspicious network traffic; - malware detection; and, - other threats as prioritized through a combination of industry threat intelligence via the Healthcare Information Sharing and Analysis Center and the Company’s security operation center. Third-party Risk Management We focus on further building cybersecurity resiliency throughout our value chain. We perform risk management via an industry third-party risk management service provider for all critical vendors, partners, and systems (including third-party hosted information systems) meeting our risk management policy criteria, to minimize the likelihood and impact of malicious cybersecurity incidents. During the onboarding phase, our cybersecurity team under the direction of the Sr. Director Information Security, Compliance, and Privacy, performs a technological risk assessment on, and utilizes certain tools to detect external risk posed by, the vendor, partner and/or system. Vendors identified as posing elevated risk are escalated to senior management for informed risk tolerance determination. Following the onboarding phase, the cybersecurity team continuously monitors risks related to the vendor, partner and/or system. All third-party cybersecurity incidents are tracked though the third-party service provider and are communicated to our cybersecurity team upon discovery. We prioritize our mitigation of cybersecurity risks based on relative severity (e.g., critical risk, high risk, low risk) and document a mitigation plan that details a resolution timeline. Risks Identified cybersecurity risks, including third-party risks and internal risks, are documented and managed in a risk register, which is reviewed monthly with leaders of our internal audit, compliance, and IT departments to ensure visibility and consensus in a separation-of-duties structure. Risks are stratified according to a standard calculus of probability, severity and materiality. As of the date of this report, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. However, a significant cybersecurity incident may materially impact our business strategy, results of operations and financial condition. Such significant cybersecurity incidents include, but are not limited to: 45 - ransomware infiltrating our critical systems resulting in production delays and/or loss of critical information; - cyber theft of our IP; - cyber theft of customer and/or patient information; - cyberattack on a critical partner that disrupts our supply chain and/or services; and, - cyberattacks that significantly impact our brand perception. As discussed more fully under Part 1, Item 1A, Risk Factors, “We are increasingly dependent on information technology, and our systems and infrastructure face certain risks, including cybersecurity and data leakage risks, " the sophistication of cybersecurity threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches of these types, and we may not be able to implement effective preventive measures against such security breaches in a timely manner Board Oversight and Management’s Responsibilities Board Oversight While our Board of Directors is ultimately responsible for risk oversight, committees of the Board of Directors assist in fulfilling oversight responsibilities in certain areas of risk. The Audit Committee of the Board of Directors (the “Audit Committee”) is responsible for overseeing risks from cybersecurity threats. The Audit Committee receives cybersecurity updates from IT leadership at least twice a year. When meeting with the Audit Committee, the IT leadership team highlights significant accomplishments and issues related to our IT infrastructure, including cybersecurity incidents, risks, industry trends, notable incidents facing other companies, incident preparedness and other developments. The Audit Committee also receives updates regarding progress on initiatives to further align with the five pillars of the NIST CSF. These briefings are designed to provide visibility to the Audit Committee about the identification, assessment, and management of critical risks, audit findings, and management’s risk mitigation strategies. Management Oversight Our IT department, in conjunction with the compliance department, assess and manage risks related to cybersecurity. The Sr. Director of Global Information Security, Compliance, Privacy, is the primary management personnel responsible for our cybersecurity program. He has more than twenty years of experience as an information security specialist and holds various cybersecurity professional certifications, including as a Certified Information Security Manager by the Information Systems Audit and Control Association and a Certified Information Systems Security Professional by the International Information System Security Certification Consortium. In addition, the department heads for IT and internal audit have industry recognized credentials and extensive experience in the area of cybersecurity. Specific cybersecurity incidents are tracked by a third-party service provider through a ticketing system. Should cybersecurity issues arise throughout the quarter, management would determine whether a cybersecurity incident was material and decide on appropriate reporting and mitigation measures. Following this determination, management would promptly schedule a meeting with the Audit Committee.

Company Information

NameAmneal Pharmaceuticals, Inc.
SIC DescriptionPharmaceutical Preparations
CategoryAccelerated filer
Fiscal Year EndDecember 30