LivaNova PLC - (LIVN)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cyber Risk Management and Strategy
LivaNova’s enterprise risk management process consists of risk identification, evaluation, control and monitoring, and documentation. The LivaNova Board oversees risk management within the Company, and the CRO provides the framework to identify and reduce risks that may materially impact the Company’s business. As part of the CRO’s enterprise risk management
31
process, regular inquiries and discussions are held with the CISO, Chief Information Officer, Chief Privacy Officer, and their respective teams to review the cybersecurity risk landscape.
LivaNova’s CISO has a Master of Science in Accountancy with a specialization in risk management, in addition to over 15 years of experience in the IT Risk Advisory sector. The CISO leads the Company’s information security team, identifies cybersecurity threats, and implements countermeasures in the cybersecurity realm, considering both internal operations and the external landscape. As part of his duties, the CISO provides relevant information to the CRO in their regular discussions. The CISO also manages the Company’s ISMS program. Guided by the principles of various industry-leading standards, such as the NIST cybersecurity framework and ISO 27001, the objective of the ISMS program is to continue to strengthen LivaNova’s cyber resiliency in connection with its information systems.
As part of LivaNova’s cyber resiliency strategy and in an effort to mitigate potential cybersecurity risks, the Company employs various measures, including employee training, systems monitoring, testing and maintenance of protective systems, and contingency plans. In addition, the CISO manages a structured cyber incident response program where periodic simulation exercises are performed to prepare and train the Company’s cybersecurity incident responders. The Company deploys security tools to help bolster its defense detection capabilities, such as endpoint detection and response tools, security information and event management tools, and 24/7 monitoring. LivaNova regularly evaluates itself for appropriate business continuity and disaster recovery planning, with test scenarios that include simulations and penetration tests.
In addition, LivaNova routinely engages with third-party service providers to conduct evaluations of its security controls, whether through penetration testing or consulting on best practices to address new challenges. The Company receives threat intelligence from industry peers, government agencies, industry-specific information sharing and analysis centers, and cybersecurity associations. The Company relies heavily on its supply chain to deliver products and services to its customers, and a cybersecurity incident at a supplier, subcontractor, or service provider could materially adversely impact the Company. The Company assesses third-party cybersecurity controls through its information security program and includes security and privacy addendums to its contracts where applicable.
Historically, risks from cybersecurity threats have not materially affected the Company’s business strategy, results of operations or financial condition. As previously reported, in November 2023, the Company initiated its cyber response protocol in response to a cybersecurity incident that resulted in a disruption of portions of its information technology systems. Promptly after detecting the issue and per LivaNova’s cyber response protocol, the Company began an investigation with assistance from external cybersecurity consultants and coordinated with law enforcement. The Company continues to assess what information was impacted and to implement remediation measures to mitigate the impact of the incident.. While the Company has taken and will continue to take actions to enhance its information security framework, LivaNova cannot determine at this time the extent of the impact from this event on its business, results of operations, cash flows, or financial condition. For further information, please refer to “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Report. Additionally, for a description of the Company’s evaluation of its disclosure controls and procedures, management’s report on internal control over financial reporting and changes in internal control over financial reporting, see “Item 9A. Controls and Procedures.”
Cyber Governance
On a quarterly basis, the CISO presents key security metrics to the Company’s IT Advisory Council, which is composed of functional leaders across the Company and is responsible for IT governance oversight in the Company. Specifically, this IT Advisory Council is responsible for establishing program strategies in alignment with LivaNova’s business objectives, as well as providing guidance on the implementation of appropriate and necessary security controls in alignment with the Information Security Policy. Among other things, the IT Advisory Council reviews summaries of information security incidents, audit findings, or other test reports, and ensures appropriate root-cause analyses are performed and corrective actions are taken. It also establishes year-over-year goals, security objectives, and priorities for the information security program.
On an annual basis, the CISO reviews the information security program achievements and reports to the Company’s IS Executive Committee, which is a cross-functional group composed of the CEO, the CFO, the CLO, and other executive leaders of the Company. Among other things, the IS Executive Committee approves the information security policy and the allocation of budget and resources to information security program initiatives, performs the annual management review of the security program, and reviews corrective action to improve the program.
As codified in its charter, the Audit Committee is responsible for reviewing the processes by which cybersecurity risks are managed and reporting any issues that arise out of such reviews to the Board. The CISO provides key security metrics to the Audit Committee on a quarterly basis, and directly to the chair of the Audit Committee on a case-by-case basis, as needed, at any time during the quarter. The Audit Committee reviews these reports, which include, among other things, external events
32
impacting the Company, security incidents, user training statistics, and evaluations of user readiness to address cyber incidents. Notwithstanding the Company’s approach to cybersecurity, the Company may not be successful in preventing or mitigating future cybersecurity incidents that could have a material adverse effect on the Company. While LivaNova maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For more information on risks related to cybersecurity and data security, see Item 1A. “Risk Factors – Risks Relating to the Company’s Business and Operations.”