BRUKER CORP - (BRKR)

10-K Filing Date: February 29, 2024
ITEM 1C CYBERSECURITY

 

The Board’s Audit Committee oversees risks relating to cybersecurity threats and the steps management takes to monitor and control such exposures. The Company has instituted an Information Security Incident Response Plan (“IRP”) which provides a framework to assist the Company in responding to actual or potential cybersecurity incidents. Our IRP includes detailed response procedures to be followed in the event of a cybersecurity incident, which outline steps to be executed from detection to assessment to notification and recovery, including internal notifications to the Audit Committee as appropriate. These incidents may consist of any actual, threatened, suspected, or reported event or occurrence that may affect the confidentiality, integrity, or availability of Company systems or data, or of any such event affecting a third party that may affect Company systems or data. The objective of the IRP is to facilitate a timely and coordinated enterprise-level response to such incidents to mitigate impact on the Company and its employees, stockholders, customers, business partners, and other stakeholders. The Audit Committee receives regular reporting from senior officers (such as the Chief Information Security Officer and the Director of Risk Management & Insurance) on operational risk and the steps management has taken to monitor and control these risks. Such reporting includes updates on the Company’s IRP, the external threat environment, and the Company’s programs to address and mitigate the risks associated with the cybersecurity threat environment. The IRP and internal controls around cybersecurity are periodically evaluated by external experts and the results of those reviews are reported to the Audit Committee.

 

The Company has established a corporate-level global Information Security Incident Response Team (“ISIRT”), which provides a centralized, coordinated response to, and management of, cybersecurity incidents that may present significant risk to the Company’s operations, valuation, brand or reputation, employees, and customer or business relationships. The Company’s cybersecurity response team is comprised of multiple subject-matter experts, including information technology, cybersecurity and risk management members with a combined experience of well over 60 years. Core members of the ISIRT consist of the Vice President, Financial Operations and Project Management (“Financial Ops”); Senior Vice President, General Counsel, and Corporate Secretary (“General Counsel”); Chief Information Security Officer (“CISO”) who reports to the Chief Information Officer (“CIO”); Chief Privacy Officer (“CPO”); Vice President, Corporate Treasurer (“Treasury”); Director, Risk Management & Insurance (“Risk Management”); and Cyber Security Manager (“Information Security”). If a cybersecurity incident warrants activation of the ISIRT, the Company’s Financial Ops and the General Counsel will notify, as appropriate, the Company’s executive leadership and the Audit Committee. We also engage specialized third-party consultants to proactively support our cybersecurity efforts, which include but are not limited to, application and network security, information risk management, as well as business continuity and disaster recovery.

 

Cybersecurity incidents may occur at, or be reported to, any of the Company’s facilities worldwide. The Company has an IT Service Desk which acts as the single point of contact for cybersecurity incident reporting. Employees can notify the IT Service Desk of any event that they observe or is reported to them that may constitute a cybersecurity incident. Once notified, the IT Service Desk team conducts an initial classification and escalates, when needed, to the CISO and other members of ISIRT as per the Company’s IRP. Financial Ops, in consultation with the General Counsel, CPO and CISO, decide whether to activate the ISIRT in connection with any escalated incident. When activated, the ISIRT coordinates and directs all aspects of the response, including, as applicable, investigation, containment, business continuity and recovery, remediation, notifications, communications, and post-incident activities with executive leadership, including the CIO, and the Audit Committee and/or Board of Directors, as appropriate in the circumstances. As of December 31, 2023, no identified risk has required activation of the ISIRT.

 

In addition, our third-party service providers play a role in our risk management and strategy as well as with the investigation of cybersecurity incidents. Based upon the assessment of the type of incident and risk presented, the ISIRT engages outside counsel and/or external resources, such as forensic consultants, to conduct or assist with cybersecurity investigations in order to provide advice to the Company. The vendors we engage with are globally recognized companies with expertise in cybersecurity. We conduct due diligence before onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.

 

For a discussion of information technology rights that may materially impact us, see Item 1A “Risk FactorsWe rely on information technology to support our operations and reporting environments. A security failure of that technology, including with respect to cybersecurity, could impact our ability to operate our businesses effectively, adversely affect our financial results, damage our reputation and expose us to potential liability or litigation.”


 

 

 

 

 

 

 

33