3D SYSTEMS CORP - (DDD)
10-K Filing Date: August 13, 2024
Item 1C. Cybersecurity
We recognize the critical importance of maintaining the safety and security of our systems and data. We have implemented a layered cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems.
Governance
As part of the Company’s risk management activities, we prioritize the identification and management of risks which includes risks related to cybersecurity.
Board of Directors
Our Board has delegated to the Audit Committee the oversight of cybersecurity risks, including overseeing the actions management has taken to monitor or mitigate such exposure. The Audit Committee reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks on a periodic basis. As part of such reviews, the Audit Committee receives reports and presentations from members of the team responsible for overseeing the Company’s cybersecurity program, including the Chief Information Officer (CIO), which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, and technological trends. The Audit Committee and such members of our management team also report to the Board at least annually on cybersecurity matters. We have defined guidelines by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported promptly to the Audit Committee and the Board, as well as ongoing updates regarding any such incident.
Management
At the management level, our CIO and Head of Cybersecurity, have extensive cybersecurity knowledge and skills gained from work experience at the Company and other publicly traded companies. They lead the team responsible for implementing, monitoring, and maintaining cybersecurity, including data protection practices across our business. The Head of Cybersecurity receives reports on cybersecurity threats from both our internal and external partners on a regular basis. The Chief Administrative Officer and Chief Executive Officer receive regular reports from the Head of Cybersecurity and the CIO on the cyber program and measures implemented by the Company to identify and mitigate cybersecurity risks. Our CIO and Head of Cybersecurity work closely with our Company’s Legal and Compliance teams to oversee compliance with legal, regulatory, and contractual security requirements, and also attend meetings with the Audit Committee and the Board that include cybersecurity updates.
26
Internal Cybersecurity Team
Our internal Cybersecurity Team, led by the Head of Cybersecurity, is responsible for the implementation, monitoring, and maintenance of our cybersecurity program, including the Company’s data protection practices. Reporting to our Head of Cybersecurity are a number of experienced and trained information security professionals who have previous work experience and educational backgrounds in information technology and security, and who also have industry recognized cybersecurity certifications. In addition to our internal cybersecurity capabilities, we also utilize a number of third-party experts to assist with assessing, identifying, and managing our cybersecurity risks.
Risk Management and Strategy
Assessing, identifying and managing cybersecurity risks are integral to our risk management activities. Our cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats in a timely manner. We maintain continuous monitoring of our network and also assess, identify, and manage risks from cybersecurity threats through various mechanisms, which may include incident response planning, risk assessments, control gap analyses, threat modeling, penetration tests, and vulnerability scanning.
Our cybersecurity assessment analyses have identified and prioritized steps to further enhance our cybersecurity practices. We maintain cyber insurance, regularly conduct company-wide cybersecurity awareness training, and have a dedicated team of Company personnel to address cybersecurity threats. We intend to implement additional security measures and processes to enhance our detection and response to cybersecurity incidents as appropriate.
We have adopted a Cybersecurity Incident Response Plan (the “IRP”) to provide a standardized framework for responding to and escalating security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as needed.
Material Cybersecurity Risks, Threats & Incidents
To date, risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition, but we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to have such an affect. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Report under the heading “Our business could be adversely impacted in the event of a failure of our information technology infrastructure or a successful cybersecurity incident,” which should be read in conjunction with the foregoing information.