XML 50 R34.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Risk Management and Strategy
We have established a formal set of policies and procedures to identify, assess, manage and report on material risks derived from cybersecurity threats and vulnerabilities, codified in the Bausch Health Cybersecurity Program (the “Program”). The purpose of the Program is to deploy a comprehensive framework designed to reasonably protect our information assets, systems, and networks from potential threats; and enable a prompt response to cybersecurity events and, if necessary, recovery from cyber-attacks using a combination of risk management and cybersecurity frameworks.
The Program is based on the National Institute of Standards and Technology Cybersecurity Framework (“CSF”) version 2.0. The CSF offers a framework for cybersecurity management, including program governance, asset and risk identification, systems protection, threat detection, and incident response and recovery. In particular, our cybersecurity strategy, as set forth in the Program, uses the CSF to address security safeguards across six dimensions of information security (Govern, Identification, Protection, Detection, Response, and Recovery). The Program guides the execution of our cybersecurity responsibilities for our digital infrastructure, including network security, endpoint security, data protection, incident response, awareness and training, compliance, and risk management.
The policies and procedures established pursuant to the Program include:
Govern – Identify cybersecurity priorities and related outcomes as a component of the Company’s strategic planning processes.
Identification – Identify and manage cybersecurity risk to systems, assets, data, people, and capabilities using measures such as asset management and assessment of suppliers and third-party partners, including using audits and testing.
Protection – Implementation of safeguards designed to ensure delivery of critical infrastructure services, including identity management and access control, security training, and use of protective technologies.
Detection – Detection of the occurrence of anomalies and cybersecurity events through logging, monitoring and communicating to appropriate personnel.
Response – Establishing appropriate responses when cybersecurity events are detected, including response planning and leveraging communications channels.
Recovery – Restore any capabilities or services that were impaired as a result of a cybersecurity incident, by executing documented recovery plans.
Pursuant to the Program, the Bausch Health Information Technology Security Department develops specific cybersecurity policies, procedures and guidelines. Key cybersecurity risk drivers, mitigation strategies, and key updates are incorporated as part of our ongoing Enterprise Risk Management processes. Our executive management team is responsible and accountable for the Program, cybersecurity risks generally, and ensuring that appropriate resources are allocated to addressing such risks, with Board-level oversight from the Audit and Risk Committee of the Board of Directors. We review and seek to improve the Program through assessments from external, independent third parties, who review documentation, conduct interviews with key stakeholders, assess security roadmap progression and maturity against industry benchmarks, report on our internal incident response preparedness and help identify areas for continued focus. We also have insurance coverage for potential losses arising from a cybersecurity incident and to provide professional services that mitigate potential business impacts during cybersecurity incidents.
Impact of cybersecurity risks on business strategy, results of operations or financial condition
While as of the date of this Form 10-K, there have been no cybersecurity incidents that have materially affected, or are likely to materially affect the Company’s business strategy, results of operations or financial condition, we have experienced cybersecurity incidents from time to time, and any future incidents have the potential to have a material adverse effect on our business strategy, results of operations and/or financial condition. Please refer to “Risk Factors— Risks Relating to Information Technology—We have become increasingly dependent on information technology systems and infrastructure and any breakdown, interruption, breach or other compromise of our or our third-party service providers’ information technology systems could compromise sensitive information related to our business or prevent us from accessing critical information and subject us to liability or interrupt the operation of our business, which could have a material adverse effect on our business, financial condition, cash flows and results of operations and could cause the market value of our common shares and/or debt securities to decline.” under Item 1A. of this Form 10-K for additional description of cybersecurity risks and potential related impacts on our Company.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have established a formal set of policies and procedures to identify, assess, manage and report on material risks derived from cybersecurity threats and vulnerabilities, codified in the Bausch Health Cybersecurity Program (the “Program”). The purpose of the Program is to deploy a comprehensive framework designed to reasonably protect our information assets, systems, and networks from potential threats; and enable a prompt response to cybersecurity events and, if necessary, recovery from cyber-attacks using a combination of risk management and cybersecurity frameworks.
The Program is based on the National Institute of Standards and Technology Cybersecurity Framework (“CSF”) version 2.0. The CSF offers a framework for cybersecurity management, including program governance, asset and risk identification, systems protection, threat detection, and incident response and recovery. In particular, our cybersecurity strategy, as set forth in the Program, uses the CSF to address security safeguards across six dimensions of information security (Govern, Identification, Protection, Detection, Response, and Recovery). The Program guides the execution of our cybersecurity responsibilities for our digital infrastructure, including network security, endpoint security, data protection, incident response, awareness and training, compliance, and risk management.
The policies and procedures established pursuant to the Program include:
Govern – Identify cybersecurity priorities and related outcomes as a component of the Company’s strategic planning processes.
Identification – Identify and manage cybersecurity risk to systems, assets, data, people, and capabilities using measures such as asset management and assessment of suppliers and third-party partners, including using audits and testing.
Protection – Implementation of safeguards designed to ensure delivery of critical infrastructure services, including identity management and access control, security training, and use of protective technologies.
Detection – Detection of the occurrence of anomalies and cybersecurity events through logging, monitoring and communicating to appropriate personnel.
Response – Establishing appropriate responses when cybersecurity events are detected, including response planning and leveraging communications channels.
Recovery – Restore any capabilities or services that were impaired as a result of a cybersecurity incident, by executing documented recovery plans.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Governance
The Audit and Risk Committee of the Board, comprised fully of independent directors, is responsible for assisting the Board in oversight of risk, including cybersecurity risks. As part of that responsibility, the Audit and Risk Committee regularly reviews our enterprise risk assessment results, including the results of any cybersecurity risk assessments or audits, reports of investigations into any significant cybersecurity risks, and assessments of our insurance coverage for significant operational risks, including cybersecurity.
In addition, we have established a Global Cybersecurity Disclosure Committee, a senior-level, cross-functional governance committee comprised of representatives from our Information Technology, Compliance, Finance, and Legal departments, which is engaged during certain cybersecurity incidents to determine further response, escalation and reporting needs. The Global Cybersecurity Disclosure Committee meets quarterly to review information technology risk metrics and as needed in the event of a potentially material security incident, including at the discretion of Vice President of Information Security. The Global Cybersecurity Disclosure Committee is responsible for oversight of the implementation of appropriate remediation for security incidents where required, as well as determining whether to discuss any information security incidents with the Audit and Risk Committee of the Board of Directors and if external reporting is required under relevant laws, regulations or SEC rules. Members of our Global Cybersecurity Disclosure Committee have work experience managing cybersecurity and information security risks, an understanding of the cybersecurity threat landscape and/or knowledge of emerging cybersecurity and data privacy risks.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit and Risk Committee of the Board, comprised fully of independent directors, is responsible for assisting the Board in oversight of risk, including cybersecurity risks. As part of that responsibility, the Audit and Risk Committee regularly reviews our enterprise risk assessment results, including the results of any cybersecurity risk assessments or audits, reports of investigations into any significant cybersecurity risks, and assessments of our insurance coverage for significant operational risks, including cybersecurity.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
The policies and procedures established pursuant to the Program include:
Govern – Identify cybersecurity priorities and related outcomes as a component of the Company’s strategic planning processes.
Identification – Identify and manage cybersecurity risk to systems, assets, data, people, and capabilities using measures such as asset management and assessment of suppliers and third-party partners, including using audits and testing.
Protection – Implementation of safeguards designed to ensure delivery of critical infrastructure services, including identity management and access control, security training, and use of protective technologies.
Detection – Detection of the occurrence of anomalies and cybersecurity events through logging, monitoring and communicating to appropriate personnel.
Response – Establishing appropriate responses when cybersecurity events are detected, including response planning and leveraging communications channels.
Recovery – Restore any capabilities or services that were impaired as a result of a cybersecurity incident, by executing documented recovery plans.
Cybersecurity Risk Role of Management [Text Block] As part of that responsibility, the Audit and Risk Committee regularly reviews our enterprise risk assessment results, including the results of any cybersecurity risk assessments or audits, reports of investigations into any significant cybersecurity risks, and assessments of our insurance coverage for significant operational risks, including cybersecurity.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] In addition, we have established a Global Cybersecurity Disclosure Committee, a senior-level, cross-functional governance committee comprised of representatives from our Information Technology, Compliance, Finance, and Legal departments, which is engaged during certain cybersecurity incidents to determine further response, escalation and reporting needs.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Members of our Global Cybersecurity Disclosure Committee have work experience managing cybersecurity and information security risks, an understanding of the cybersecurity threat landscape and/or knowledge of emerging cybersecurity and data privacy risks.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Global Cybersecurity Disclosure Committee is responsible for oversight of the implementation of appropriate remediation for security incidents where required, as well as determining whether to discuss any information security incidents with the Audit and Risk Committee of the Board of Directors and if external reporting is required under relevant laws, regulations or SEC rules
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true