QuidelOrtho Corp - (QDEL)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
We are committed to maintaining effective governance and oversight of cybersecurity risks. Our cybersecurity strategy focuses on implementing effective and efficient mechanisms, controls, technologies, systems and other processes across our global IT networks and systems to assess, identify and manage material risks from potential unauthorized occurrences on or through our IT systems that may result in adverse effects on the confidentiality, integrity or availability of our IT systems and the data residing therein. These processes are designed to promote (i) strong controls across our entire IT ecosystem, (ii) transparency across our IT infrastructure so that our information security team can detect, identify and escalate anomalies for further analysis and action, and (iii) a sound enterprise security architecture with security integrated into each phase of system implementation. We believe that the processes and controls we have established to protect our stakeholders’ interests, including with respect to our current regulated products and internal systems, are robust and aligned with applicable cybersecurity regulations and certain identified industry best practices. This includes security by design, regular penetration testing, vulnerability scanning and standardization where possible of cybersecurity architecture principles.
Our cybersecurity risk management is part of our broader enterprise risk management process, which is managed by our internal audit team with oversight from our executive leadership, and ultimately, the Audit Committee and the Board. Supported by a global team of information security professionals, we have in place a variety of tools, processes and services designed to identify the impacts of changing cybersecurity threats within our IT networks and systems and those networks and systems managed by key vendors or third parties. Cybersecurity risks are identified, quantified and mitigated by leveraging detection and preventive technologies, including security monitoring, intrusion detection and prevention systems, routine risk assessments, a vulnerability management infrastructure and a global incident response program. In addition, we also periodically consult with outside advisors and experts to anticipate future trends, such as threats and issues within the healthcare industry as well as updates on key regulatory changes, including evolving cybersecurity policies and mandates from the FDA and the Cybersecurity and Infrastructure Security Agency.
We identify and address cybersecurity risks associated with key third-party service providers through security and privacy assessments prior to engaging these third parties, the breadth of which is determined by factors such as the type of data, if any, the third party will have access to, whether the third party will have access to our networks and systems, and whether the third party will provide hardware or software to be used in our products or elsewhere in our organization. Depending on the results of these assessments, we may conduct further assessments prior to or periodically throughout the course of our engagement limit or cease plans to engage the third party, or negotiate specific contractual protections or remediation provisions.
We also aim to improve our identity and access management by limiting individuals’ access to information only to that which is necessary to conduct their official duties and granting individuals access privileges only to user accounts or processes that are essential to perform their intended functions. Multi-factor authentication and role-based access controls are also core elements of our identity and access management processes. Additionally, we periodically offer training and education to our employees on cyber risks and remind our employees of critical end-user best practices, such as current phishing trends. Information security risk is managed by a cross-functional team, which includes our procurement, compliance, privacy and legal teams, allowing for a holistic view of risks related to the safety and privacy of critical data, such as customer account details, financial
49
data and intellectual property. We aim to secure our data and information throughout their lifecycle – from creation, collection and processing to dissemination, use, storage and disposition.
While we have not identified any material cybersecurity threats or incidents during the last fiscal year, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Risks Relating to Our IT Systems.”
Oversight of cybersecurity risk involves a three-tiered hierarchy designed to leverage the appropriate level of expertise to assess and manage such risks. This consists of our Chief Information Security Officer (“CISO”), Security Governance Committee (“SGC”) and the Audit Committee of the Board. Our CISO is primarily responsible for our global information security program. In this role, the CISO is responsible for the effective operations of information security controls and management of information security and cybersecurity risks across the enterprise, including within our products and operations. The CISO also aligns our information security strategy with our business and technical strategies and integrates, where possible, security initiatives into roadmaps of other functions to promote accountability and awareness. The CISO is also responsible for developing and implementing our information security policies and standards in accordance with applicable global regulatory requirements and facilitating updates to these policies and standards at least annually. Our CISO has 20 years of global information security leadership experience across financial services, legal and medical device industries and over 35 years of broader IT experience.
The SGC is comprised of members of our executive leadership team, including the Chief Financial Officer, Chief Operating Officer, General Counsel, Chief Administrative Officer, Chief Information Officer (“CIO”) and CISO. The CISO reports to the SGC on a regular basis, and informs the committee of critical risks that could potentially affect our information security and cybersecurity posture, as well as regulatory compliance; the status of key projects designed to evolve our information security programs; and any significant cybersecurity issues, incidents and patterns of events. The SGC has the authority to (i) investigate any matter brought to its attention that may impact our ability to adequately protect our information assets and (ii) to involve its members, the Board, other steering committees, government agencies and law enforcement, as it deems appropriate to respond to and remediate such matters. The CISO provides updates to the SGC during the course of significant cybersecurity incidents and in parallel, response teams partner with our IT and legal teams, law enforcement and others as needed to triage and remediate such incidents. Following such events, we implement changes as appropriate to improve our risk mitigation and remediation capabilities as cyber threats evolve.
The Audit Committee of the Board oversees our cybersecurity risk management and strategy and has an oversight role that involves reviewing, establishing policies for, and assessing the efficacy of processes used to evaluate significant risk exposures and the measures management implements to mitigate these risks. The Audit Committee is informed about cybersecurity risks through regular management reports on the performance of internal and/or external cybersecurity audits and assessments and the effectiveness of existing cybersecurity practices. The CIO, CISO, other members of the SGC, and other personnel also periodically update the Audit Committee on material cybersecurity risks, significant cybersecurity incidents, mitigation measures and impacts to the Company. The Board receives updates from management, including the CIO, and the Audit Committee on cybersecurity risks on at least an annual basis.
50