|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Protecting the security and integrity of the IT systems under our control and safeguarding the privacy of our customers, patients and employees is a top priority for us at all levels. Cybersecurity and data privacy risks are among the core enterprise risks evaluated through our annual enterprise risk management assessment.
The Chief Security Officer oversees our cybersecurity risk management program in partnership with our Chief Information Officer and other business leaders. The program was developed to assess, identify and manage risks from cybersecurity threats and respond to cybersecurity breaches and cyberattacks, and to protect and preserve the confidentiality, integrity, and continued availability of information owned by, or in the care of Novartis.
Governance
To address cybersecurity threats and prevent IT system interruptions, the Information Security & Compliance (ISC) team, which is headed by our Chief Security Officer, has implemented enterprise-wide policies, processes and practices. Our Chief Security Officer reports to our Chief Information Officer, and is a subject matter expert on information security, privacy, information technology strategy and management with over 20 years of relevant experience across a number of industries, including pharmaceuticals, consumer goods, financial services and consulting. Our Chief Information Officer has 25 years of experience as an IT professional, including 15 years with Novartis, and is responsible for our technology strategy, delivery and operations globally. Our ISC team assesses our systems against our policies and processes, reviews gaps, and prioritizes remediation. Key performance indicators are reported to the Executive Committee of Novartis. The Executive Committee is responsible for oversight of the Company’s cybersecurity strategy.
We seek to follow industry best practices, such as the NIST Cybersecurity Framework and ISO 27001 to manage information security. Novartis has risk-based services continuity and systems recovery plans in place for key business processes, which are tested periodically. We also conduct ongoing internal vulnerability analyses (including simulated hacking) as well as external testing via third parties to ensure the effectiveness of our cybersecurity controls. We require employees to report IT security incidents to a Cyber Security Operations Center (CSOC) that operates 24 hours a day, 7 days a week. CSOC is a function within ISC that is responsible for investigating all security incidents and alerts including determining the threat type, incident scope and incident severity. Where appropriate, major incidents are escalated to our Chief Executive Officer, who may then inform our Board of the incident pursuant to our internal procedures. Novartis has not experienced any cybersecurity threats, including as a result of cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Novartis, including its business strategy, results of operations or financial condition. See “Item 3. Key Information—Item 3.D. Risk factors—Operational risks—Cybersecurity and data protection” for information on risks to Novartis from cybersecurity threats.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Protecting the security and integrity of the IT systems under our control and safeguarding the privacy of our customers, patients and employees is a top priority for us at all levels. Cybersecurity and data privacy risks are among the core enterprise risks evaluated through our annual enterprise risk management assessment.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Novartis has not experienced any cybersecurity threats, including as a result of cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Novartis, including its business strategy, results of operations or financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|As part of its enterprise risk management oversight, the Risk Committee of our Board is responsible for ensuring that the Company has implemented an appropriate and effective risk management system and process, including annually reviewing updates on cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
As part of its enterprise risk management oversight, the Risk Committee of our Board is responsible for ensuring that the Company has implemented an appropriate and effective risk management system and process, including annually reviewing updates on cybersecurity. The Risk Committee receives updates on cybersecurity risks, which address a wide range of topics, including recent developments, security incidents, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the peers and vendors of Novartis. At least once each year, the Risk Committee discusses the Company’s approach to cybersecurity risk management with the Chief Security Officer.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee receives updates on cybersecurity risks, which address a wide range of topics, including recent developments, security incidents, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the peers and vendors of Novartis. At least once each year, the Risk Committee discusses the Company’s approach to cybersecurity risk management with the Chief Security Officer.
|Cybersecurity Risk Role of Management [Text Block]
|The Chief Security Officer oversees our cybersecurity risk management program in partnership with our Chief Information Officer and other business leaders.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
To address cybersecurity threats and prevent IT system interruptions, the Information Security & Compliance (ISC) team, which is headed by our Chief Security Officer, has implemented enterprise-wide policies, processes and practices. Our Chief Security Officer reports to our Chief Information Officer, and is a subject matter expert on information security, privacy, information technology strategy and management with over 20 years of relevant experience across a number of industries, including pharmaceuticals, consumer goods, financial services and consulting. Our Chief Information Officer has 25 years of experience as an IT professional, including 15 years with Novartis, and is responsible for our technology strategy, delivery and operations globally. Our ISC team assesses our systems against our policies and processes, reviews gaps, and prioritizes remediation. Key performance indicators are reported to the Executive Committee of Novartis. The Executive Committee is responsible for oversight of the Company’s cybersecurity strategy.
We seek to follow industry best practices, such as the NIST Cybersecurity Framework and ISO 27001 to manage information security. Novartis has risk-based services continuity and systems recovery plans in place for key business processes, which are tested periodically. We also conduct ongoing internal vulnerability analyses (including simulated hacking) as well as external testing via third parties to ensure the effectiveness of our cybersecurity controls. We require employees to report IT security incidents to a Cyber Security Operations Center (CSOC) that operates 24 hours a day, 7 days a week. CSOC is a function within ISC that is responsible for investigating all security incidents and alerts including determining the threat type, incident scope and incident severity. Where appropriate, major incidents are escalated to our Chief Executive Officer, who may then inform our Board of the incident pursuant to our internal procedures. Novartis has not experienced any cybersecurity threats, including as a result of cybersecurity incidents, that have materially affected or are reasonably likely to materially affect Novartis, including its business strategy, results of operations or financial condition. See “Item 3. Key Information—Item 3.D. Risk factors—Operational risks—Cybersecurity and data protection” for information on risks to Novartis from cybersecurity threats.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Chief Security Officer reports to our Chief Information Officer, and is a subject matter expert on information security, privacy, information technology strategy and management with over 20 years of relevant experience across a number of industries, including pharmaceuticals, consumer goods, financial services and consulting. Our Chief Information Officer has 25 years of experience as an IT professional, including 15 years with Novartis, and is responsible for our technology strategy, delivery and operations globally.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Executive Committee is responsible for oversight of the Company’s cybersecurity strategy.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef