GILEAD SCIENCES, INC. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

GILEAD SCIENCES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:21:03 EST.

Filings

10-K filed on 2025-02-28

GILEAD SCIENCES, INC. filed a 10-K at 2025-02-28 16:21:03 EST
Accession Number: 0000882095-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Processes Used to Assess, Identify, and Manage Material Risks from Cybersecurity Threats Risk Assessment and Management We manage material risks from cybersecurity threats through a cross-functional and layered approach that is designed to detect, identify, respond to, recover from and protect from cybersecurity incidents and is informed by industry recognized standards. Our security governance function, which includes key employees who work in Information Security, Legal, and Privacy teams, such as our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), are responsible for establishing and implementing cybersecurity policies and procedures, which includes developing and updating our enterprise Incident Response Plan (“IRP”), managing incident response, and overseeing any policy exceptions and potential compensating controls. Additionally, we assess our cybersecurity maturity annually and implement and maintain controls that are designed to evaluate and improve our cybersecurity program, such as vulnerability assessments and penetration tests, as needed. We also execute employee cybersecurity training and awareness programs around various key cybersecurity topics, including reporting incidents, phishing, ransomware, remote working, cloud security, privileged access and removable media. Our process for assessing, identifying and managing material risks from cybersecurity threats is integrated into our overall risk management process. We have a robust enterprise risk management (“ERM”) program that plays an important role in seeking to manage and address existing and emerging risks, including cybersecurity risks, which are critical to our overall business goals and objectives. The ERM team updates our Chief Executive Officer (“CEO”) and his leadership team on cybersecurity risks as well as their potential impact, likelihood, potential mitigation plan and status. Engagement of Third-Party Advisors We engage third-party advisors, including assessors and cybersecurity consultants, to assess, validate and enhance our cybersecurity program. We benefit from engaging third parties to provide specialized skills, knowledge, tools and resources. These third parties also help reduce costs, increase efficiency, improve quality, mitigate risks and review cybersecurity strategy, trends and threat landscape. Incident Response We have a dedicated Information Security team responsible for managing and coordinating incident response efforts. This team collaborates closely with other teams within the company, including teams within information technology (“IT”), Legal and Privacy, in identifying, analyzing and responding to cybersecurity incidents, which includes tracking cybersecurity incidents to help identify any related incidents. When cybersecurity incidents are identified, our practice is to respond to and address them utilizing incident classifications and escalation protocols, in accordance with applicable governmental regulations and other legal requirements. Where necessary or appropriate, we also engage third-party advisors to assist in the incident response process. We have an IRP to prepare for and respond to cybersecurity incidents. Our IRP processes are tested in annual tabletop exercises to help identify strengths and areas for improvement. Under the IRP, cybersecurity incidents are escalated based on a defined incident severity to management as appropriate. Third-Party Service Provider Risk Management We have a process in place to oversee and identify risks from cybersecurity threats associated with our use of key third-party service providers during the course of engagement. The company uses an external risk management software program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Our vendor security assessment process evaluates key vendors and, where appropriate, assesses vendor’s controls for IT security, privacy, business continuity and other third-party risks. Following an evaluation, the company determines and prioritizes risks based on their potential impact, which helps inform the appropriate level of additional due diligence and ongoing compliance monitoring. The third-party risk assessment is a cross-functional effort involving our end-user, Legal, Privacy and Information Security teams. 31 Material Risks from Cybersecurity Threats Like many companies, we face cybersecurity threats and have experienced cybersecurity incidents, including data breaches and temporary service interruptions. However, since the beginning of fiscal year 2024, the company has not identified risks from known cybersecurity threats or incidents that have materially affected us or are reasonably likely to materially affect us. Nevertheless, there can be no assurance that our efforts in response to cybersecurity incidents, as well as our investments to protect our IT infrastructure and data, will shield us from significant losses, brand and reputational harm and potential liability or prevent any future interruption or breach of our systems. Such cybersecurity incidents can cause the loss of critical or sensitive information, including personal information, and could give rise to legal liability and regulatory action under data protection and privacy laws. For additional information on cybersecurity risks we face, see Part I, Item 1A. Risk Factors of this Annual Report on Form 10-K under the heading “Information system service interruptions or breaches, including significant cybersecurity incidents, could give rise to legal liability and regulatory action under data protection and privacy laws and adversely affect our business and operations.” Cybersecurity Governance Board Oversight of Risks from Cybersecurity Threats Our Board of Directors plays an important role in overseeing cybersecurity risks. Our Board of Directors has established an oversight structure for monitoring the effectiveness of and risks related to the cybersecurity program. The Audit Committee has been designated by the Board to oversee cybersecurity and information technology risks. The Audit Committee receives quarterly cybersecurity updates from our CISO, and the chair of the Audit Committee meets with the CISO individually on a quarterly basis. These updates often address topics such as ongoing efforts to improve our cybersecurity posture, operational metrics, incident metrics and mitigation actions, and may include key metrics such as those related to cybersecurity maturity, risk reduction, cybersecurity program health, and audit and compliance activities. The Audit Committee updates the Board on its activities at each regularly scheduled Board meeting. Updates related to cybersecurity are provided to the Board on an annual basis as part of an overall ERM update. In addition to this regular reporting, significant cybersecurity events may also be escalated on an as-needed basis through the company’s organizational structure in accordance with the IRP. Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats Our CISO, supported by a cross-functional team, has primary responsibility for assessing and managing our cybersecurity program and the related risks. Details of the risk management and escalation processes are discussed in “Cybersecurity Risk Management and Strategy” above. The CISO has over 30 years of IT and cybersecurity experience in large biopharmaceutical, life sciences, financial and technology industries, including over ten years with the company, and is responsible for managing the security architecture, engineering, technology operations, monitoring, incident response, risk, governance, quality and compliance at the company. The company’s Information Security function is comprised of teams that engage in a range of cybersecurity activities such as security operations, security engineering, data privacy controls, validation, compliance and audit readiness. Leaders of each team are expected to collaborate to help increase visibility of key issues and alignment with strategy. As noted above, the company’s IRP includes standard processes for escalating significant cybersecurity incidents to management, including the CISO. The company’s incident response team also coordinates with external legal advisors, cybersecurity forensic firms, communication specialists, and other outside advisors and experts, as appropriate.

Company Information