|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Viatris operates in a complex and rapidly changing environment that involves many potential risks, including IT and cybersecurity risks. Risk management is an enterprise-wide objective and is subject to oversight by the Viatris Board and its committees. It is the responsibility of Viatris’ management and employees to identify material risks to our business and to implement and administer risk management and mitigation processes and programs, while also maintaining reasonable flexibility in how we operate. Our internal audit function coordinates cross functionally to maintain the Company’s enterprise risk assessment, including the identification of key and emerging risks, and reviews and refreshes this analysis quarterly with executive management. For each key or emerging risk identified, the Company establishes risk monitoring ownership, from which quarterly updates are collected for executive management and the Viatris Board’s Compliance and Risk Oversight Committee.
With respect to IT and cybersecurity risks, Viatris maintains an information security program that is aligned with the National Institute of Standards and Technology Cybersecurity Framework, and which is designed to govern, identify, protect, detect, respond to and recover from cybersecurity threats. Viatris’ information security program includes policies, procedures, cybersecurity awareness communications, testing, and training for employees (including mandatory training programs for system users), system monitoring, risk reduction, vulnerability and patch management and monitoring of external developments. The information security team is responsible for defining and overseeing the execution of the Company’s information security program and strategy. The Viatris IT team, led by the Chief Information Officer, is responsible for ongoing security operations such as maintaining firewalls and patch management. In addition, the delivery of many information security programs relies on IT resources to execute the selection, delivery and implementation of security solutions, such as end-point protection and end-of-life protocols.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|It is the responsibility of Viatris’ management and employees to identify material risks to our business and to implement and administer risk management and mitigation processes and programs, while also maintaining reasonable flexibility in how we operate.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Compliance and Risk Oversight Committee of the Viatris Board is responsible for reviewing management’s exercise of its responsibility to identify, assess, and manage material risks not allocated to the Viatris Board or another Committee of the Viatris Board, including data security programs and cybersecurity and IT. In the event of a severe cybersecurity incident, such as a ransomware attack or other incident that has a severe adverse effect on Viatris’ operations, critical systems or sensitive data, or which may cause severe reputational damage, executive management may determine that it is necessary to notify the Viatris Board or the Compliance and Risk Oversight Committee about such a cybersecurity incident immediately. Otherwise, the Compliance and Risk Oversight Committee receives reports from executive management on data security, cybersecurity and information security-related matters on at least a quarterly basis, including with respect to related risks, risk management, risk reduction programs, and relevant legislative, regulatory, and technical developments. On a biannual basis, the Compliance and Risk Oversight Committee and chairs of each other Committee of the Viatris Board receive an information security update from the Company’s Chief Information Security Officer & Head of Global Security, the Chief Compliance Officer and the Chief Information Officer. The full Viatris Board receives a report on the respective quarterly discussions from the Chair of the Compliance and Risk Oversight Committee each quarter.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Compliance and Risk Oversight Committee of the Viatris Board is responsible for reviewing management’s exercise of its responsibility to identify, assess, and manage material risks not allocated to the Viatris Board or another Committee of the Viatris Board, including data security programs and cybersecurity and IT.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Otherwise, the Compliance and Risk Oversight Committee receives reports from executive management on data security, cybersecurity and information security-related matters on at least a quarterly basis, including with respect to related risks, risk management, risk reduction programs, and relevant legislative, regulatory, and technical developments. On a biannual basis, the Compliance and Risk Oversight Committee and chairs of each other Committee of the Viatris Board receive an information security update from the Company’s Chief Information Security Officer & Head of Global Security, the Chief Compliance Officer and the Chief Information Officer.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company’s Chief Information Security Officer & Head of Global Security, under the direction of the Company’s Chief Compliance Officer, reports quarterly to an internal risk committee of senior management, which includes the CEO, CFO, Chief Legal Officer, Chief People Officer, Chief Corporate Affairs Officer, Chief Information Officer, Chief Compliance Officer, Chief Quality Officer, Chief Supply Officer, Chief R&D Officer and Regional Presidents, as well as the Viatris Board on the progress of the information security program and overall security status. Viatris’ current Chief Information Security Officer & Head of Global Security has over 25 years of experience in information security within the pharmaceutical industry.
As part of its information security program, Viatris has adopted a Cybersecurity Incident Response Plan (CIRP) to establish a guide for Viatris’ leadership and incident response stakeholders through an “incident” – a single event or a set of anomalous and adverse “events” or, for purposes of the CIRP, a change in a system, technology device or environment that could impact the confidentiality, integrity, availability or safety of Viatris’ data, employees or assets, caused by malicious intent or accident and impacting Viatris’ network, computing systems, digital information, employees or assets. The CIRP is managed by the Viatris global information security team and is reviewed at least annually. Viatris tests the CIRP through technical exercises semi-annually, reviews the CIRP with executive management annually, and periodically conducts executive tabletop exercises/scenarios. The CIRP provides an overview of critical actions to take through the incident response lifecycle and contains a severity matrix used to guide the Company’s incident response stakeholders on communication and escalation protocols. The severity of the incident guides the determination of the parties to whom the incident will be escalated, and the Company may decide to seek assistance from a third-party incident response vendor.
Viatris’ Cybersecurity Incident Response Team (CIRT) reports to the Chief Information Security Officer & Head of Global Security and has the role of investigating and executing incident protocols. The CIRT is responsible for determining the potential impacts to the Company, including severity, notifying appropriate parties pursuant to the CIRP and determining whether to engage a third-party incident response vendor, among other responsibilities. Critical incidents require implementation of the global crisis plan and high severity incidents require notification to the executive leadership team once such an incident is confirmed. The Company’s Disclosure Controls and Procedures also require (i) the Company’s Information Security function to monitor and escalate, as appropriate, cybersecurity incidents or series of related incidents (including with respect to any third party provider to the Company of IT services) and (ii) the Disclosure Committee to determine, without unreasonable delay, the materiality of any such escalated cybersecurity incidents or series of related incidents with input from Global Compliance, Information Security, Legal, Finance and other groups, as appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s Chief Information Security Officer & Head of Global Security, under the direction of the Company’s Chief Compliance Officer, reports quarterly to an internal risk committee of senior management, which includes the CEO, CFO, Chief Legal Officer, Chief People Officer, Chief Corporate Affairs Officer, Chief Information Officer, Chief Compliance Officer, Chief Quality Officer, Chief Supply Officer, Chief R&D Officer and Regional Presidents, as well as the Viatris Board on the progress of the information security program and overall security status.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Viatris’ current Chief Information Security Officer & Head of Global Security has over 25 years of experience in information security within the pharmaceutical industry.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
As part of its information security program, Viatris has adopted a Cybersecurity Incident Response Plan (CIRP) to establish a guide for Viatris’ leadership and incident response stakeholders through an “incident” – a single event or a set of anomalous and adverse “events” or, for purposes of the CIRP, a change in a system, technology device or environment that could impact the confidentiality, integrity, availability or safety of Viatris’ data, employees or assets, caused by malicious intent or accident and impacting Viatris’ network, computing systems, digital information, employees or assets. The CIRP is managed by the Viatris global information security team and is reviewed at least annually. Viatris tests the CIRP through technical exercises semi-annually, reviews the CIRP with executive management annually, and periodically conducts executive tabletop exercises/scenarios. The CIRP provides an overview of critical actions to take through the incident response lifecycle and contains a severity matrix used to guide the Company’s incident response stakeholders on communication and escalation protocols. The severity of the incident guides the determination of the parties to whom the incident will be escalated, and the Company may decide to seek assistance from a third-party incident response vendor.
Viatris’ Cybersecurity Incident Response Team (CIRT) reports to the Chief Information Security Officer & Head of Global Security and has the role of investigating and executing incident protocols. The CIRT is responsible for determining the potential impacts to the Company, including severity, notifying appropriate parties pursuant to the CIRP and determining whether to engage a third-party incident response vendor, among other responsibilities. Critical incidents require implementation of the global crisis plan and high severity incidents require notification to the executive leadership team once such an incident is confirmed. The Company’s Disclosure Controls and Procedures also require (i) the Company’s Information Security function to monitor and escalate, as appropriate, cybersecurity incidents or series of related incidents (including with respect to any third party provider to the Company of IT services) and (ii) the Disclosure Committee to determine, without unreasonable delay, the materiality of any such escalated cybersecurity incidents or series of related incidents with input from Global Compliance, Information Security, Legal, Finance and other groups, as appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef