DENTSPLY SIRONA Inc. - (XRAY)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The Company maintains a comprehensive process for assessing, identifying, and managing material risks from cybersecurity threats. These include risks relating to disruption of business operations or financial reporting systems, intellectual property theft, exposure to fraud or extortion, harm to employees or customers, violation of privacy laws or other regulatory and compliance lapses, reputational risk, and inability to consistently deliver digital business solutions. For more information on the Company’s risks related to cybersecurity, refer to “Risk Factors” in Item 1A of this Annual Report on Form 10-K.

Identifying and assessing cybersecurity risk is fully integrated into our overall risk management systems and processes. The Company has established a cybersecurity and information security program that includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. We leverage the standards set by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as well as industry best practices to measure our security posture and manage risk. Our security program under this framework utilizes policies, software, training programs and hardware solutions to protect and monitor our environment, including multi-factor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing and identity management systems.

Our Chief Information Security Officer (“CISO”), who reports directly to the Chief Financial Officer, oversees the Company’s approach to managing cybersecurity and digital risk. Our CISO also regularly engages with cross-functional teams at the Company and partners with our dedicated technology risk management and privacy teams, and collaborates with our internal audit department to review information technology-related internal controls as part of the overall internal controls process. Our information security strategic plan includes the development of a single detection and response team across both the corporate and product information and technology environments.

We periodically conduct risk assessments to identify threats and vulnerabilities, and then determine the likelihood and impact for each risk using a qualitative risk assessment methodology. We identify risks from various sources, including vulnerability scans, penetration tests, vendors risk assessments, product and services audits, internal compliance assessments and threat-hunting operations. We monitor our infrastructure and applications to identify evolving cyber threats, scan for vulnerabilities and mitigate risks.

With oversight from our Board of Directors, the Company has formally adopted and annually updates a Security Incident Response Plan which coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents. These include processes to triage, assess severity of, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Our incident response plan establishes a framework for measuring the severity of security incidents and provides for a post-market response program including protocols for coordination and communication between security response teams, designated leaders within the Company, internal and outside legal counsel, and the Audit and Finance Committee in responding to any such incidents.

Our cybersecurity and information security program also includes review and assessment by external, independent third-parties, with whom we periodically consult on threat assessments and security enhancements, and incident response preparedness. We share threat intelligence and collaborate with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, better understand the evolving regulatory environment, and advance capabilities in these areas. Additionally, the Company has a third-party risk management program that assesses risks from vendors and suppliers. In response to these assessments, we have developed contingency plans for business continuity if our vendors are subject to a cyberattack that impacts our use of their systems.

36


Our Information Security team conducts annual information security awareness training for employees involved in our systems and processes that handle customer data and audits of our systems and enhanced training for specialized personnel. We also conduct cyber awareness training and simulate responses to cybersecurity incidents, and use the findings to improve our practices, procedures, and technologies. In 2024, as part of upcoming enhancements to security preparedness, members of senior management are scheduled to participate in tabletop exercises led by third-party experts on cyber incident response best practices to apply their learnings to the Company’s business continuity management program. The Company provides security awareness education and training for all employees and consultants, conducts monthly internal “phishing” testing and mandatory training for “clickers,” and publishes periodic cybersecurity newsletters to highlight any emerging or urgent security threats.

Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including the impact of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. In the last three years, we have not experienced any material information security breach incidents. The Company maintains cybersecurity insurance, and as part of management oversight we regularly review our policy and levels of coverage based on current risks.

Governance

Management’s Role Managing Risk

The cybersecurity risk management processes described above are managed by our CISO who reports directly to our Chief Financial Officer. Our CISO has over 25 years of experience in matters of cybersecurity and information systems including senior roles at other global publicly traded companies in various industries. Our CISO is a member of multiple professional organizations, and holds professional certifications from leading information, compliance, and privacy organizations. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program.

At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation, and the CISO is also continually informed about any developments in cybersecurity, including potential threats and industry techniques for risk management to address those threats. The role of the CISO includes implementation and oversight of effective processes to monitor our information systems, including the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. The CISO regularly reports to senior management on our cybersecurity risks and actions taken to mitigate that risk.

Board of Directors Oversight

Our Board of Directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. The Audit and Finance Committee is charged with oversight of data privacy and cybersecurity risks. Our CISO provides updates to either the Audit and Finance Committee or to the full Board of Directors on a quarterly basis on our cybersecurity risks and actions taken to mitigate that risk. These briefings encompass a broad range of topics, including:

current cybersecurity landscape and emerging threats;
the status of ongoing cybersecurity initiatives and strategies;
compliance with regulatory requirements and industry standards; and
updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents.

The CISO also promptly informs and updates the Board about any information security incidents that may pose significant risk to the Company. Our guidelines require that any significant cybersecurity matters including strategic risk management decisions are escalated to the Board of Directors to ensure that they have comprehensive oversight. The Audit and Finance Committee conducts an annual review of the company’s cybersecurity posture and the effectiveness of its risk management strategies. As part of this review, the Company’s cybersecurity program is periodically evaluated by external experts, and the results of those reviews are reported to the Board. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.

37