Page last updated on July 28, 2025
CARDINAL HEALTH INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-14 08:47:07 EDT.
Filings
10-K filed on 2024-08-14
CARDINAL HEALTH INC filed a 10-K at 2024-08-14 08:47:07 EDT
Accession Number: 0000721371-24-000056
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Cybersecurity Risk Management
We identify, assess, and manage risks related to cybersecurity through documented policies, standards, and procedures as part of our overall approach to cybersecurity, which is a component of our wider enterprise risk management program. Our approach to detection, mitigation, remediation, and prevention of cybersecurity risks utilizes a range of measures including, among other elements: benchmarking to generally accepted industry standards and frameworks, such as the National Institute of Standards and Technology cybersecurity framework; use of periodic tabletop exercises to promote awareness and improve internal processes; periodic penetration testing; a dedicated staff of cybersecurity professionals; and implementation of security measures and policies intended to identify as well as assist in containing and remediating cybersecurity risks.
We maintain cybersecurity incident response, disaster recovery, and business continuity plans that govern activities such as preparation, detection coordination, remediation and recovery, and escalation to senior management and, where appropriate, relevant committees of the Board. These plans are routinely reviewed under the leadership of our Chief Information Security Officer (“CISO”). We also maintain mandatory employee cybersecurity and privacy compliance awareness training requirements, which are supplemented by employee engagement campaigns.
We utilize third parties to assist with, and assess the effectiveness of, our cybersecurity posture, in addition to supporting incident response and mitigation where necessary. We identify and assess third party risks associated with suppliers and service providers across a range of areas, including cybersecurity, through a third-party risk management process that incorporates, among other features, the use of risk assessments and, where appropriate, contractual requirements around evaluations, security, technology, service levels, and other terms.
To date, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Cardinal Health. However, the scope and impact of any future incident cannot be predicted. For more information, please see Item 1A “Risk Factors” for the risk factor entitled “Our business and results of operations could be adversely affected if we experience a material cyber-attack or other systems breach.”
Governance
Our CISO, in coordination with our Chief Information Officer (“CIO”) to whom the CISO reports, leads our approach to assessing and managing cybersecurity-related risks. Our CISO has over twenty-five years of experience in information technology (“IT”), with twenty years in IT risk management, compliance, and information security, as well as a background in leading technical infrastructure teams and roles supporting business operations.
As part of management’s oversight of our cybersecurity program, we maintain an IT risk governance process that includes multiple levels of escalation from our IT Risk Advisory Board, which meets on a monthly basis and whose membership includes the CISO and IT functional area leadership, to an executive-level committee to help address cybersecurity risks at an enterprise level.
While the company’s Board oversees our overall risk management process, as part of its oversight, the Board has delegated certain responsibilities to committees of the Board. The Audit Committee of the Board has primary responsibility for discussing with management cybersecurity and other major IT risk exposures and management’s steps to monitor and control such exposures. In coordination with the Audit Committee, the Risk Oversight Committee of the Board monitors Cardinal Health’s compliance with applicable legal and regulatory requirements, including with respect to data privacy and security.
Our Audit Committee receives quarterly updates from the CISO and CIO and the Board receives at least annual cybersecurity updates. Among other items, these updates cover a range of matters relevant to our cybersecurity program, including: the threat environment and related business risks; the state, priorities of, and investments in our cybersecurity program; the availability of cyber insurance; review of certain cybersecurity incidents that have occurred within the company and the industry; and relevant cybersecurity operational metrics.
Company Information
| Name | CARDINAL HEALTH INC |
| CIK | 0000721371 |
| SIC Description | Wholesale-Drugs, Proprietaries & Druggists’ Sundries |
| Ticker | CAH - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | June 29 |