|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management Program Overview
As cybersecurity threats rapidly evolve in sophistication and become more prevalent, especially with the increasing use of artificial intelligence (“AI”) technology, we have implemented a cybersecurity risk management program as part of our oversight, evaluation and mitigation of enterprise-level risks. Our cybersecurity risk management program leverages a combination of processes, technologies and personnel with expertise in cybersecurity to comply with applicable regulations and detect and respond to cyber-attacks, data breaches, security incidents, and compromises of personal information, as well as to regularly and promptly inform management and our Board of Directors of any significant cybersecurity risks and developments.
Our cybersecurity risk management program is led by our global Chief Information Security Officer (“CISO”), who is directly responsible for establishing cybersecurity strategies and structures and managing ongoing cybersecurity risk management activities through our information security office, which is responsible for the
identification, monitoring and management of cybersecurity risks. Our CISO reports directly to our global Chief Information Officer (“CIO”). Our CISO has significant experience in managing cybersecurity risks at major global companies in the pharmaceutical and defense industries. Our CISO regularly meets with the CIO to provide updates on cybersecurity matters. Our CIO updates our executive management on a regular basis to share cybersecurity related matters and discuss strategies to proactively manage cybersecurity threats. Our CISO and CIO brief our Audit Committee on our cybersecurity and risk management programs.
day-to-day
Our information security office is supported by a team consisting of personnel with experience and expertise in cybersecurity risk management strategies, execution and operations, with domain expertise in cloud services security, infrastructure and operational technology security, cybersecurity incident response, and tactical governance risk compliance.
Our CISO and CIO are also members of our information and security governance group, led by our CIO, which is comprised of executive and senior leadership from a variety of functions, including information security, corporate security, legal, finance, human resources, internal audit and compliance, as well as members of Teva’s global situation room (“GSR”). Additionally, our CISO, CIO and other members of our information security office may, from time to time, consult and coordinate with other Teva departments and members of management to manage cybersecurity risks, promote cybersecurity awareness and implement cybersecurity incident responses.
In addition, management has worked, and expects to continue to work, with third-party service providers, as appropriate, to assess, identify and manage cybersecurity risks. Management also conducts periodic and
on-demandassessments of our cybersecurity risk management program with expert service providers to ensure it complies with and meets current ISO 27001 standards. As part of its cybersecurity program, Teva conducts periodic tabletop exercises to assess its cybersecurity incident response process.
As part of its overall risk oversight function, our Audit Committee, which is comprised entirely of independent directors, oversees cybersecurity risks in connection with overseeing our overall enterprise risk management system. Management, including our CISO and CIO, provide updates on our cybersecurity risk management program and cybersecurity matters to the Audit Committee, and also reports to the Board of Directors as necessary. These updates and reports include updates on Teva’s cybersecurity risks and threats, the status of projects intended to strengthen its information security systems, assessments of the information security program (including remediation, mitigation, and management of identified vulnerabilities), and the emerging threat landscape.
As part of our cybersecurity risk management program, we maintain industry standard procedures and policies, which are reviewed and revised periodically, and certified to comply with ISO 27001 standards, to both
proactively assess, identify and manage potential cybersecurity risks and respond to any actual cybersecurity threats and incidents. Such procedures and policies include: actively monitoring our information technology systems to ensure compliance with applicable legal and regulatory requirements; engaging third-party consultants and other service providers to monitor and, as appropriate, respond to cybersecurity risks; requiring our service providers and our business partners who connect directly to our information technology systems to comply with our cybersecurity standards and due diligence processes and be subject to our
non-disclosureand other confidentiality agreements that include cybersecurity-related terms; providing and analyzing specialized industry sector intelligence on cybersecurity threats; regularly testing our cybersecurity systems and disaster preparedness, including our
back-upinformation technology systems; developing and updating incident response plans to address potential cybersecurity threats; and maintaining and training our personnel on cybersecurity incident reporting procedures. Teva engages with key vendors, industry participants, and intelligence and law enforcement communities as part of its continuing efforts to obtain current threat intelligence, collaborate on security enhancements, and evaluate and improve the effectiveness of its information security program.
Cyber Threats and Incident Response
In the ordinary course of our business, we collect and store confidential data, including intellectual property, proprietary business information and personally identifiable information (including of our employees, customers,
suppliers and business partners). We rely extensively on information technology systems, including some systems that are managed by third-party service providers, to securely process, store and transmit such confidential data in order to conduct our business. These systems include programs and processes relating to internal and external communications, ordering and managing materials from suppliers, collecting, processing and storing data produced by our clinical trials and other research and development initiatives, converting materials to finished products, shipping products to customers, processing transactions, processing payments to employees and vendors, calculating sales receivables, generating our financial results for each reporting period, summarizing and reporting results of operations, and complying with information technology security compliance and other regulatory, legal or tax requirements. In addition, as cybersecurity attacks may become increasingly complex as they are enhanced or facilitated by the emergence of new technologies such as AI used to identify and target new vulnerabilities in our information technology systems or those of our customers, third-party vendors and other business partners, we are taking measures to manage these risks by utilizing new tools and capabilities, including AI.
We have not been materially impacted by risks from cybersecurity threats and as of the date of this Annual Report on Form
10-K,we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, there can be no assurance that Teva will not be materially affected by such risks in the future. Our systems and networks have been, and are expected to continue to be, the target of increasingly advanced and evolving cyber-attacks and cybersecurity incidents in the future may adversely impact our business, financial condition and results of operations, and we are continuing to actively monitor such threats. For more information, see “Item 1A, Risk Factors—Risks related to our general business and operations—Significant disruptions of our information technology systems could adversely affect our business” and “Item 1A, Risk Factors—Risks related to our general business and operations—A data security breach could adversely affect our business and reputation.”
In the event that we experience a cybersecurity incident, we have a cybersecurity incident response playbook that sets forth the applicable processes, roles, engagements, escalations and notifications to be executed in order to promptly respond to such threats. Depending on its nature and scale, a cybersecurity threat may be managed within our information security office, escalated to our CISO and CIO, or escalated to our management, and Audit Committee and Board of Directors, as appropriate. In certain instances, our GSR may be initiated and will collectively manage Teva’s response to a crisis on a corporate level. The GSR is comprised of members from our various business units and regions, including senior leadership from a variety of functions, such as information security, legal, finance, human resources, communications and compliance.
We carry insurance that provides protection against the potential losses arising from a cybersecurity incident. However, there is no assurance that our insurance coverage will cover or be sufficient to cover all losses or claims that may result from a cybersecurity incident.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|We have not been materially impacted by risks from cybersecurity threats and as of the date of this Annual Report on Form
10-K,we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, there can be no assurance that Teva will not be materially affected by such risks in the future. Our systems and networks have been, and are expected to continue to be, the target of increasingly advanced and evolving cyber-attacks and cybersecurity incidents in the future may adversely impact our business, financial condition and results of operations, and we are continuing to actively monitor such threats. For more information, see “Item 1A, Risk Factors—Risks related to our general business and operations—Significant disruptions of our information technology systems could adversely affect our business” and “Item 1A, Risk Factors—Risks related to our general business and operations—A data security breach could adversely affect our business and reputation.”
|Cybersecurity Risk Role of Management [Text Block]
|As part of its overall risk oversight function, our Audit Committee, which is comprised entirely of independent directors, oversees cybersecurity risks in connection with overseeing our overall enterprise risk management system.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Management, including our CISO and CIO, provide updates on our cybersecurity risk management program and cybersecurity matters to the Audit Committee, and also reports to the Board of Directors as necessary. These updates and reports include updates on Teva’s cybersecurity risks and threats, the status of projects intended to strengthen its information security systems, assessments of the information security program (including remediation, mitigation, and management of identified vulnerabilities), and the emerging threat landscape.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our cybersecurity risk management program is led by our global Chief Information Security Officer (“CISO”), who is directly responsible for establishing cybersecurity strategies and structures and managing ongoing cybersecurity risk management activities through our information security office, which is responsible for the
identification, monitoring and management of cybersecurity risks.
day-to-day
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef