Fortrea Holdings Inc. - (FTRE)
10-K Filing Date: March 13, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity
Cybersecurity Risk Management Program and Strategy
Our cybersecurity risk management program (the “Cybersecurity Risk Management Program”) was designed to identify, manage, mitigate, and respond to ongoing cybersecurity threats and associated risks and is responsible for their escalation to the Board of Directors when determined to be material. Currently, the Cybersecurity Risk Management Program includes cybersecurity services provided by our Former Parent through 2024 as part a transition service agreement entered in connection with the Spin. The underlying controls utilized by these programs are based on industry recognized best practices and standards for cybersecurity and information technology which include the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization for Standardization (ISO) 27001:2022 Information Security Management Systems Requirements
The Cybersecurity Risk Management Program is administered through two primary channels: (i) Fortrea led cybersecurity services and capabilities, and (ii) trusted third-party partners delivering cybersecurity services overseen by our Cybersecurity leadership team. Both channels combined deliver the entire Cybersecurity Program, which includes key items such as:
Cybersecurity risk management program, including, but not limited to, the following:
•Risk assessment activities/analyses
•Risk Committee oversight, documentation, escalation
•Reporting of risk issues deemed material to our Audit Committee of the Board of Directors
Cybersecurity services, including, but not limited to, the following:
•24x7 Security services and Operations across (3) countries, including an Incident Response Plan and process.
•Identity Access Management support and governance
•Security Architecture oversight and guidance
•Governance, Risk and Compliance (“GRC”) functions such as third-party risk management, cybersecurity policies, training, and awareness
•Annual and independent penetration testing and vulnerability scanning activities conducted by trusted third parties
•Transition services provided by our Former Parent, as part of the Spin, effective June 2023 and through the exit of the transition service agreement
Third party risk management, including, but not limited to, the following:
•Periodic third party reviews and assessments measuring cybersecurity services capability and maturity.
Cybersecurity risks are identified and documented by our cybersecurity team leadership, presented, and reviewed with the Fortrea Cybersecurity Risk Management Committee (the “Risk Committee”) as noted in the Governance of Cybersecurity section below. The Risk Committee, in conjunction with business stakeholders as required, evaluates risks which are presented to them to determine materiality. Cybersecurity risks deemed material are then formally agreed upon as items to be reported by the Chief Information Security Officer (“CISO”) to the Audit Committee.
45
Recognizing the cybersecurity and risk management programs are newly formed, we have established plans to conduct regular reviews and tabletop exercises to test processes for preparedness in case of a critical event as well as integrate cybersecurity risk with the Enterprise Risk Management Framework. As part of our risk management strategy, we have secured comprehensive cyber insurance coverage. We regularly review and update our cyber insurance coverage to align with the evolving nature of cyber threats and industry standards.
Because we are a newly formed company, there are no historical internal or external assessment processes. Going forward, however, the Fortrea Internal Audit team will conduct internal assurance reviews as part of their 2024 annual audit plan. Additionally, as we continue to execute our risk management processes, we plan to engage external cybersecurity partners for the evaluation and assessment of our cybersecurity program and its capabilities.
Although unknown cybersecurity risks could materialize as a result of risk factors identified during the Spin, we are not aware of any disclosures at this time which would be considered material risks and associated with cybersecurity threats or incidents. Refer to “Item 1A. Risk Factors” of this Annual Report on Form 10-K for further discussion of cybersecurity risks.
Governance of Cybersecurity
The Fortrea Audit Committee has been authorized by the Board of Directors to oversee risks from cybersecurity threats. We have established a Risk Committee chaired by the CISO and chartered to determine and execute the processes for the identification, and management of material cybersecurity risks. The Risk Committee is comprised of cross-functional executive leaders who can assess materiality impact and are accountable for materiality disclosure. The CISO is responsible for reporting on the state of cybersecurity to the Audit Committee on a quarterly basis, including those risks deemed material by the Risk Committee.
Our CISO has more than 25 years of experience building and leading cybersecurity programs for global healthcare and retail companies. The cybersecurity leadership team reporting to the CISO is comprised of leaders with skills in cybersecurity risk management, cybersecurity architecture, identity and access management, and cybersecurity operations and engineering. Their experience and certifications are commensurate with their roles.