BOSTON SCIENTIFIC CORP 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

BOSTON SCIENTIFIC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 16:08:52 EST.

Filings

10-K filed on 2026-02-17

BOSTON SCIENTIFIC CORP filed a 10-K at 2026-02-17 16:08:52 EST
Accession Number: 0000885725-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established an enterprise cybersecurity program , which is administered by a cross-functional team of cybersecurity professionals that includes employees and third party contractors and vendors, that utilizes various tools, methodologies and processes to assess, identify and manage cybersecurity risks related to our information technology (IT) and operational technology (OT) systems. Our cybersecurity program is designed to monitor and continually enhance our enterprise security posture, including assessments to evaluate readiness and resilience with the goal of preventing incidents and mitigating the impact in the event an incident occurs. We have implemented cybersecurity policies mapped to industry and government standards and frameworks, such as U.S. National Institute of Standards and Technology (NIST) and International Standard of Organization, and our strategy is aligned to the NIST CyberSecurity Framework that provides us a structured approach to managing our cybersecurity risk through its five core functions. We regularly review our cybersecurity policies and require annual cybersecurity training for our employees. We also periodically conduct simulation exercises involving employees at various levels of the organization and provide annual cybersecurity briefings to our Board of Directors. Cybersecurity education has also been provided to our Board of Directors to support incident preparedness. We have an established product cybersecurity program that ensures cybersecurity risk management is incorporated into the entire lifecycle for all of our products. Our product cybersecurity program applies various tools, methodologies and processes to each lifecycle stage and helps ensure that our products are designed, built, tested, deployed and maintained in accordance with medical device cybersecurity standards, best practices, and guidance documents. This serves to build appropriate cybersecurity controls into our medical device products while also meeting regulatory compliance objectives. We engage third-party security partners for specialized services such as incident response, penetration testing, and on-demand cybersecurity support. We also use a managed security service provider to enhance our security operations center with AI-enabled monitoring, analysis, and threat correlation capabilities. All third parties undergo security due diligence and risk assessment prior to engagement, with additional reviews performed as needed based on risk. If a third party experiences a cybersecurity incident that could affect our business, we conduct a full assessment and implement appropriate safeguards. Our cybersecurity team also continually monitors third-party security posture to help mitigate risks to our systems. Cybersecurity risks are also monitored within our enterprise risk management (ERM) program and included in the risk universe used to assess top risks to the Company on an annual basis. Risks are discussed with appropriate members of management, who oversee risk coverage, monitoring and reporting in the relevant risk function, including in our cybersecurity program, and incorporate those activities as part of developing our strategic plan. Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. For additional information, see Part I, Item 1A. "Risk Factors" for a discussion of cybersecurity risks that we face. 27 Governance Our global cybersecurity organization is led by our chief information security officer (CISO) , under the organization of our chief information and digital officer (CIDO). Our current CISO has over 20 years of extensive information technology experience, including in security architecture, software development and engineering, as well as leading security operations and incident response, offensive and defensive cyber projects in increasing roles of responsibility. He also previously held Certified Information Systems Security Professional (CISSP) and GIAC Certified Forensics Analyst certifications. Our current CIDO is a member of our executive committee and has extensive experience overseeing information technology and security programs, including roles of increasing leadership within our Information and Digital organizations over the last ten years, and prior to that in increasing roles of responsibility managing information systems, including over 18 years at General Electric. Our current CIDO holds CISSP and other IT certifications. Our Board of Directors (the Board) oversees an enterprise-wide approach to risk management, including cybersecurity risks. While the Board has ultimate responsibility for risk oversight, each committee of the Board also oversees risks to the extent they relate to the committee's respective area of responsibility and provides reports to the Board as appropriate. The Board receives annual updates (or more frequently, as appropriate under the procedures described below) on cybersecurity matters, including our cybersecurity program, cybersecurity risks, and the evolving threat landscape. Separately, the Board receives cybersecurity risk updates through the ERM program's annual risk assessment presented to the Board. We have established controls and procedures to escalate enterprise level issues, including cybersecurity matters, to the appropriate management levels within our organization and the Board, or members or committees thereof, as appropriate. Under our framework, cybersecurity issues, including vulnerabilities introduced through our IT and OT systems, the use of artificial intelligence technologies, and risks arising from third-party software and service providers, are analyzed by subject matter experts, including a crisis committee as needed in accordance with our incident response plans, for potential financial, operational, and reputational risks, based on, among other factors, the nature of the matter and breadth of impact. Matters determined to present potential material impacts to our financial results, operations, and/or reputation are immediately reported by management to the Board, or individual members or committees thereof, as appropriate, in accordance with our established escalation framework. In addition, we have established procedures to help ensure that members of management responsible for overseeing the effectiveness of disclosure controls are informed in a timely manner of known cybersecurity risks and incidents that may materially impact our operations and that timely public disclosure is made, as appropriate.

Company Information