Amgen relies on information systems to operate its business, including the collection, compliant management, and retention of personal data entrusted to us by patients, customers, employees, suppliers and others. Helping to ensure our continued access to data allows Amgen to develop and deliver products and solutions that provide value to patients worldwide in terms of improved health outcomes.
Threats to enterprise cybersecurity and data privacy are serious – and so are we about working to ensure the integrity of our systems and data. We place equal emphasis on responsibly collecting, processing, and retaining data entrusted to us.
Our Corporate Responsibility and Compliance Committee and Audit Committee of our Board of Directors oversee our approach to cybersecurity and data privacy, including risk management. Amgen senior management provides the committee and the full Board with regular updates on our information security and data privacy programs and emerging threats.
Enterprise Cybersecurity
Our Chief Information Security Officer (CISO), who is overseen by our Chief Information Officer that leads our Digital, Technology & Innovation function, is responsible for developing and executing our enterprise-wide information security strategy and our enterprise-wide cybersecurity and records and information management programs. Our CISO also oversees the development, implementation and maintenance of Amgen's information security infrastructure and monitoring, detection, analysis, event handling and containment of security incidents.
Data Privacy
Working closely with our CISO, our Chief Privacy Officer oversees our Global Privacy Compliance team. The team responsible for implementing and working to ensure compliance with our global policy on the Protection of Personal Information and other policies and processes that guide how we collect, maintain, use and protect personal information based on the legal and regulatory requirements where we operate. We audit our practices to help ensure compliance with all applicable standards and legal requirements.
Examples of the practices we follow to support the integrity of our data protection processes include:
- Collecting and using the minimum amount of personal information necessary to achieve our business purposes.
- Sharing personal information only with individuals who have a legitimate need for it.
- Conducting supplier assessments to review third-party applications and technologies that contain personal and sensitive information.
- Implementing and monitoring technical and organizational measures to safeguard personal data including through appropriate user access management, secure file transfers and consent management.
- Investigate and remediate incidents involving the potential unauthorized access, possession or loss of personal data, and notify regulators and affected individuals, where applicable.
Training, Monitoring and Compliance
We require all Amgen staff and contractors to complete annual information protection and compliance training. Employees in privacy-sensitive roles receive additional training specific to their position, including information on applicable data security and privacy laws and regulations – such as the EU General Data Protection Regulation – and the appropriate handling of personal information. Training is available in 24 languages.
We host regular employee awareness events and campaigns on topics such as artificial intelligence, ransomware, and mobile security, and conduct internal phishing exercises to help strengthen employee resiliency.
Our information security and business resilience controls undergo assessment by a third-party on a biennial basis to measure maturity and the outcomes inform our improvement initiatives. We also regularly assess our suppliers to help ensure they maintain appropriate security and privacy controls. This includes assessing their cyber resiliency risk management and working with them to review risks and remediation actions.
Responsible Use of Trustworthy AI 1
The Amgen Artificial Intelligence (AI) Governance Council is a cross-functional leadership forum dedicated to the safe and timely adoption of Trustworthy AI tools at Amgen. Sponsored by our Chief Compliance Officer and Chief Information Officer, the Council includes members from Quality, Law, Safety, Global Security, Information Security, Regulatory Affairs, Privacy, Compliance, Human Resources, Sourcing and Corporate Audit. Its responsibilities include:
- Establishing guidelines and principles for the secure and timely adoption, deployment, use and development of Trustworthy AI tools in alignment with business priorities.
- Enforcing sustainable governance and controls to safeguard the security, privacy and protection of data, as well as monitoring AI development and deployment across the enterprise.
- Influencing investment decisions and educating staff on appropriate use of AI tools.
Amgen has adopted the Trustworthy AI framework to promote appropriate and responsible use of AI. The framework is based on guidelines published by The National Institute of Standards and Technology. It serves as a guide for how we design and evaluate AI systems. Employees across Amgen are required to complete training on the proper use of AI tools. Additional training is required for employees involved in system development activities.
Collaboration
We engage with government agencies, industry peers and other companies to share information on potential cyber-related issues and effective ways to combat threats. For example, Amgen is a member of the Health Information Sharing and Analysis Center, a community of critical infrastructure owners and operators within the healthcare and public health sector focused on sharing timely, actionable and relevant information.
Policies and Other Information
References:
- Trustworthy AI refers to the Artificial Intelligence Risk Management Framework published by the National Institute of Standards and Technology, part of the U.S. Department of Commerce, to guide to organizations in managing AI risk and promoting trustworthy and responsible AI tools.