XML 170 R37.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We recognize the importance of timely and appropriately assessing, preventing, identifying and managing risks associated with Cybersecurity Threats, as such term is defined in Form 20-F, Part II, Item 16K(a). These risks include, among other things, potential operational risks; intellectual property theft; fraud; extortion; harm to associates, customers or patients; violation of privacy and other litigation and legal risk; and reputational risks. We have implemented cybersecurity processes, technologies and controls to aid in our efforts to assess, prevent, identify and manage such risks.
To identify and assess risks from Cybersecurity Threats, our enterprise risk management program considers Cybersecurity Threat risks alongside other company risks as part of our overall risk assessment process. Our internal audit team collaborates with subject matter specialists, as necessary, to gather insights for identifying and assessing Cybersecurity Threat risks, their likelihood and severity, and potential preventative measures and mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing and tabletop exercises to inform our risk identification, assessment and management.
We also have a cybersecurity-specific risk assessment process, which helps identify our Cybersecurity Threat risks by aligning our processes with industry cybersecurity frameworks, including the National Institute of Standards and Technology (“NIST”) and International Organization for Standardization (“ISO”) 27001 standards, as well as by engaging experts to attempt to infiltrate our Information Systems, as such term is defined in Form 20-F, Part II, Item 16K(a).
To provide for the availability of critical data and systems, maintain regulatory compliance, manage our risks from Cybersecurity Threats and to protect against, detect and respond to Cybersecurity Incidents, as such term is defined in Form 20-F, Part II, Item 16K(a), we undertake activities including:
The Alcon IT Security Incident Response policy generally follows the NIST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident. Alcon’s incident response policy also includes timely collaboration with appropriate Alcon business stakeholders, including information technology, data privacy and legal functions to appropriately identify and respond to any notification or other legal obligations related to such incidents, as applicable;
We monitor applicable data protection laws and best practices, and seek to implement, maintain and enhance our security safeguards and processes accordingly;
We regularly review our consumer facing policies and statements related to cybersecurity;
Where applicable, we seek to proactively inform our customers of substantive changes related to customer data handling;
We conduct annual data privacy, cybersecurity and compliance training for all our associates, which includes cyber and informational loss reporting;
We conduct annual cybersecurity management and incident training for associates involved in our systems and processes that handle sensitive data;
We perform regular phishing simulation activities for all associates and contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
We perform regular Security Incident Response Tabletops facilitated by a third party incident response provider and include comprehensive organizational involvement to simulate a response to a cybersecurity incident and use the findings to mature our processes and technologies;
We maintain, and review coverage on an periodic basis, a group insurance plan to provide protection against the potential losses arising from a cybersecurity incident; and
We have an incident response retainer with an industry leading supplier to assist in an actual or potential cybersecurity incident.
Through policy, practice and contract, as applicable, we require associates, as well as third parties who provide services on our behalf, to treat Alcon data, including customer, patient, employee and other confidential and sensitive information, in accordance with our policies.
Our incident response process coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate
the incident, as well as to comply with potentially applicable legal obligations and mitigate potential brand, reputational or other damage.
Our information security team partners with Alcon's data privacy and legal teams and other groups to timely determine whether and how risks from identified Cybersecurity Threats, including results from any previous Cybersecurity Incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial conditions.
Our processes also address Cybersecurity Threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to Alcon data, including customer, patient, associate or other confidential or proprietary information, or Alcon systems or facilities. Third-party risks are included within our risk management assessment program, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor Cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce potentially heightened cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
As part of the above processes, our information security team regularly engages with Alcon's data privacy and legal teams, assessors, consultants, auditors and other third parties, including a regular maturity assessment by a Qualified Security Assessor to review our cybersecurity program to identify areas for continued focus, improvement and/or compliance.
In the last three fiscal years, we have not experienced any material Cybersecurity Incidents and the expenses we have incurred from Cybersecurity Incidents were immaterial. We have not paid any penalties or settlements in the past three years.
For further discussion of risks from Cybersecurity Threats to us, see "Item 3. Key Information-3.D. Risk Factors-Significant cybersecurity breaches could disrupt business operations, result in the loss of critical and confidential information and adversely affect our reputation and results of operations."
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We recognize the importance of timely and appropriately assessing, preventing, identifying and managing risks associated with Cybersecurity Threats, as such term is defined in Form 20-F, Part II, Item 16K(a). These risks include, among other things, potential operational risks; intellectual property theft; fraud; extortion; harm to associates, customers or patients; violation of privacy and other litigation and legal risk; and reputational risks. We have implemented cybersecurity processes, technologies and controls to aid in our efforts to assess, prevent, identify and manage such risks.
To identify and assess risks from Cybersecurity Threats, our enterprise risk management program considers Cybersecurity Threat risks alongside other company risks as part of our overall risk assessment process. Our internal audit team collaborates with subject matter specialists, as necessary, to gather insights for identifying and assessing Cybersecurity Threat risks, their likelihood and severity, and potential preventative measures and mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing and tabletop exercises to inform our risk identification, assessment and management.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
The Audit and Risk Committee of our Board is responsible for the oversight of risks from Cybersecurity Threats. At least annually, the Audit and Risk Committee receives an overview from Cybersecurity management covering topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan and material Cybersecurity Threat risks or incidents, as well as the steps management has taken to respond to such risks. In such sessions, the Audit and Risk Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging Cybersecurity Threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer ("CISO"). Members of the Audit and Risk Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Cybersecurity Threat risks are also considered during separate Board meeting discussions of important matters such as enterprise risk management, operational budgeting and strategic planning, business continuity planning, mergers and acquisitions, brand management and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CISO who has over 30 years of prior relevant experience in various information technology roles involving managing global information security, application development and IT infrastructure organizations, developing cybersecurity strategy and implementing effective information and cybersecurity programs. Our CISO manages a team of associates who provide information assurance governance and consultation across all regions of our business. This team includes approximately 60 individuals holding various cybersecurity certifications. Our CISO and our information assurance team partner closely with our regional privacy officers, led by our Global Data Privacy Officer.
These members of management are informed about and monitor the prevention, mitigation, detection, classification and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
As discussed above, these members of management report to Audit and Risk Committee about Cybersecurity Threat risks, among other cybersecurity related matters, at least annually.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit and Risk Committee of our Board is responsible for the oversight of risks from Cybersecurity Threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] At least annually, the Audit and Risk Committee receives an overview from Cybersecurity management covering topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan and material Cybersecurity Threat risks or incidents, as well as the steps management has taken to respond to such risks. In such sessions, the Audit and Risk Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging Cybersecurity Threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer ("CISO"). Members of the Audit and Risk Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Cybersecurity Threat risks are also considered during separate Board meeting discussions of important matters such as enterprise risk management, operational budgeting and strategic planning, business continuity planning, mergers and acquisitions, brand management and other relevant matters.
Cybersecurity Risk Role of Management [Text Block] The Audit and Risk Committee of our Board is responsible for the oversight of risks from Cybersecurity Threats. At least annually, the Audit and Risk Committee receives an overview from Cybersecurity management covering topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan and material Cybersecurity Threat risks or incidents, as well as the steps management has taken to respond to such risks. In such sessions, the Audit and Risk Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging Cybersecurity Threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer ("CISO"). Members of the Audit and Risk Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Cybersecurity Threat risks are also considered during separate Board meeting discussions of important matters such as enterprise risk management, operational budgeting and strategic planning, business continuity planning, mergers and acquisitions, brand management and other relevant matters.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Audit and Risk Committee of our Board is responsible for the oversight of risks from Cybersecurity Threats. At least annually, the Audit and Risk Committee receives an overview from Cybersecurity management covering topics such as data security posture, results from third-party assessments, progress towards predetermined risk-mitigation-related goals, our incident response plan and material Cybersecurity Threat risks or incidents, as well as the steps management has taken to respond to such risks. In such sessions, the Audit and Risk Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging Cybersecurity Threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer ("CISO"). Members of the Audit and Risk Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Cybersecurity Threat risks are also considered during separate Board meeting discussions of important matters such as enterprise risk management, operational budgeting and strategic planning, business continuity planning, mergers and acquisitions, brand management and other relevant matters.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CISO who has over 30 years of prior relevant experience in various information technology roles involving managing global information security, application development and IT infrastructure organizations, developing cybersecurity strategy and implementing effective information and cybersecurity programs. Our CISO manages a team of associates who provide information assurance governance and consultation across all regions of our business. This team includes approximately 60 individuals holding various cybersecurity certifications.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] These members of management are informed about and monitor the prevention, mitigation, detection, classification and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true