INSULET CORP 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

INSULET CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 16:03:03 EST.

Filings

10-K filed on 2026-02-18

INSULET CORP filed a 10-K at 2026-02-18 16:03:03 EST
Accession Number: 0001145197-26-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Like other companies, we currently operate in an environment characterized by increasing global cybersecurity vulnerabilities and threats. Accordingly, we have invested in people, processes, and technology aimed at identifying, assessing, and responding to cybersecurity threats. We take a holistic, layered approach to cybersecurity, with a strategy focused on prevention, detection, and mitigation. Our cybersecurity team assesses, monitors, and manages cybersecurity risk through a combination of technical, physical, and administrative controls. These controls include the implementing of cybersecurity policies, procedures, and strategies designed to prevent cybersecurity incidents to the extent feasible and to enhance the resilience of our systems to minimize business impact should a cybersecurity incident occur. We maintain a cybersecurity risk register, and cybersecurity team leaders meet monthly to discuss and prioritize cybersecurity threats, review risk assessments, and monitor progress on remediation activities. We leverage the National Institute of Standards and Technology ("NIST") Cybersecurity Framework 2.0 to manage and respond to cybersecurity threats. Additionally, Insulet's information security management system is ISO 27001 and 27701 certified and we hold ISO certifications specific to Cloud Computing and Health Informatics. Key facets of our cybersecurity program include: - Ongoing Cybersecurity Threat Monitoring. Our cybersecurity operations centers operate across multiple time zones to support continuous monitoring, enabling timely detection, investigation, and response to cybersecurity threats. - External Threat Landscape Assessment. Insulet employs multiple third-party threat intelligence services to monitor for cybersecurity threats and cybersecurity incidents. In addition, we participate in a third-party healthcare industry cybersecurity threat intelligence data-sharing organization. - Insider Risk Detection. We use targeted third-party tools aimed at detecting insider cybersecurity threats and suspicious data movement. - Cloud and Vulnerability Management. To enhance cloud and data security, we work to reduce our potential attack surface by establishing secure defaults, implementing least privilege access principles, and continuously monitoring cloud and system configurations. As part of our vulnerability and overall security posture management, a cross-functional team meets regularly to review and remediate issues identified through security scans and security configuration checks. This ongoing effort helps to maintain the security hygiene of our computing devices and supports the resilience of our technology environment. - Testing and Audits. Regular penetration testing, incident response tabletop testing, and independent audits are performed by third-party cybersecurity consultants and our Internal Audit function. The results of these assessments, including final reports and gap analysis documentation, are reviewed by our cybersecurity team and logged in our risk register, as appropriate. - Operating Technology ("OT") Visibility. As a manufacturer of medical devices, the interconnectedness between our OT and other business critical information systems can present material cybersecurity risks. To mitigate these risks, we implement network segmentation, access controls, and OT-specific monitoring capabilities. - Vendor Management. New vendors and key business partners are subject to our vendor risk assessment process. Once engaged, these vendors are monitored by our third-party threat intelligence tools. Where appropriate, we incorporate security and privacy provisions or contractual addenda to ensure vendors maintain standards consistent with our cybersecurity and data protection requirements to ensure vendors maintain standards consistent with applicable cybersecurity and data protection law as well as our requirements. - Training and Culture. Training, awareness, and incorporating cybersecurity into our culture is key to reducing risk around common threats such as phishing. All employees are required to complete annual cybersecurity training, supplemented by frequent "nanolearning" modules. These short, targeted trainings are designed to increase awareness of cybersecurity threats among our employees and equip employees with the knowledge and tools needed to recognize and respond appropriately to potential cybersecurity threats. We also conduct phishing simulations to evaluate the effectiveness of our training program with the goal of reducing the percentage of employees who click on suspicious emails. Our guiding principle of "security and privacy by design" underlies our product development. We have a cybersecurity team embedded within our research and development organization to deliver on this mission as well as a Product Cybersecurity Risk Management Policy that aligns with FDA guidance. Omnipod 5 incorporates cybersecurity by design principles, which includes secure data transfer between the Pod, Controller, cloud storage, and compatible CGMs. We have processes in place to systematically integrate cybersecurity into each phase of our product design and development process. Omnipod 5 is certified by ISO (27001, 27017 and 27799) and the U.K. Cyber Essentials. Omnipod 5 incorporates authentication, encryption, and cybersecurity protection to safeguard against unauthorized devices or individuals accessing its system. Should a cybersecurity incident occur, we maintain a Cybersecurity Incident Response Procedure ("CIRP") and Crisis Management Plan designed to support efficient, coordinated, and timely response efforts. Under the CIRP, cybersecurity incidents are initially reviewed and rated by our security operations team. Cybersecurity incidents are rated based on predefined severity levels and escalated to members of our cybersecurity incident response team ("CIRT") based on the facts and circumstances of the incident. Our CIRT consists of our Chief Information Security Officer ("CISO"), Chief Compliance Officer, Chief Privacy Officer, VP of Commercial Legal, and relevant members of our executive leadership team, including our General Counsel and CEO. When appropriate, such incidents are also reported to the Board of Directors ("Board") in accordance with our governance protocols. In addition, our internal Disclosure Committee reviews any planned public disclosures or regulatory filings. Assessing, identifying, and managing cybersecurity-related risks is also integrated into our overall enterprise risk management ("ERM") program. Cybersecurity risks are included in the risk universe evaluated by the ERM function as it identifies and assesses the Company's top enterprise risks on an annual basis. The results of the annual ERM risk assessment are presented to our Board, with additional reporting during the year to the Nominating, Governance and Risk Committee ("NGR Committee") of the Board. We currently do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected the Company's business strategy, results of operations, or financial condition. While Insulet maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. "Risk Factors" for a discussion of cybersecurity and other risks which may impact Insulet. Governance Our Board oversees management's processes for identifying and mitigating risks, including from cybersecurity threats, to help align our risk exposure to our strategic objectives. While the Board reviews the Company's cybersecurity program annually, the NGR Committee has primary responsibility for cybersecurity as part of its risk oversight mandate. The NGR Committee is updated regularly on cybersecurity matters from our CISO and members of the CISO's team. Our CISO briefs the NGR Committee on management's actions to identify and detect threats and reviews the structure of, and enhancements to, the Company's defenses as well as management's progress on its cybersecurity strategic roadmap. The NGR Committee Chair reports to the full Board after each Committee meeting, including information relating to the cybersecurity discussions. Our Cybersecurity organization, which includes infrastructure security, product security, technology risk management, and security awareness and culture is led by our CISO. Our CISO reports directly to our Chief Technology Officer ("CTO") and is responsible for developing and implementing our cybersecurity program, including setting the directional cybersecurity strategy, including for the assessment and detection of risks from cybersecurity threats, and continuous improvement plans for the overall cybersecurity program. Our CISO has over a decade of experience leading cybersecurity and technology risk management programs in medical device manufacturing organizations and achieved specific industry certifications, including Certified Information Systems Security Professional. Our CTO ensures cybersecurity measures are prioritized across research and development, software engineering, and our information technology functions. Our CTO has more than 15 years of experience leading R&D and information technology departments at medical device and technology companies. Our CTO and CISO co-chair a quarterly Technology Risk Committee aimed at providing proper oversight and governance of the cybersecurity program, remediation of identified cybersecurity threats, and execution of our cybersecurity strategy.

Company Information