MASIMO CORP - (MASI)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Risk Management & Strategy
Cybersecurity is a critical component of risk management. We rely on information technology and any failure, inadequacy, interruption or security lapse of such technology, including any cybersecurity incidents, could harm our ability to operate our business effectively.
Management regularly performs risk assessments relating to cybersecurity risks. We have a risk-based cybersecurity program, dedicated to protecting our data and data that may be collected from patient monitoring devices. We utilize a defense-in-depth strategy with multiple layers of security controls to protect our data and systems. We mitigate cybersecurity risks by employing a number of measures, including employee training, systems monitoring and testing and maintenance of protective systems and contingency plans. As part of our cybersecurity risk management processes, management engages external auditors and consultants to assess our program and controls. We evaluate ourselves for appropriate business continuity and disaster recovery planning, with test scenarios that include simulations and penetration tests. We also install and regularly update antivirus software on all of our Company-managed systems to detect malicious code and prevent it from impacting our systems. We require cybersecurity awareness training for all staff members with access to our network. We also maintain cyber liability insurance coverage to further reduce our risk profile. Security of our financial data and other sensitive information remains a high priority for us, led by our global information security team. We employ an appropriate encryption and tokenization platform for all online and direct-to-consumer sales from our websites, ensuring no credit card data is stored in our internal systems. For more information on risks related to cybersecurity and data security, see Item 1A. “Risk Factors - Risks Related to Our Regulatory Environment” and “Risk Factors - General Risk Factors”. Except as disclosed therein, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition.
Our cybersecurity program is focused on the following:
Cybersecurity Awareness: We identify and assess cyber risks through the dissemination of information from industry groups and third-party experts.
Training: We provide annual cybersecurity training for company personnel with network access and conduct periodic simulated phishing exercises.
Technical Safeguards: We deploy measures to protect our network perimeter and internal information technology platforms, such as internal and external firewalls, network intrusion detection and prevention, penetration testing, vulnerability assessments, threat intelligence, anti-malware and access controls.
Vendor Management: We maintain data protection agreements with our vendors that contain contractual provisions requiring safeguards for the protection of personal information. In addition, vendors are screened for data security measures as part of our vendor due diligence process.
Incident Response Plans: We maintain and update incident response plans that address the life cycle of a cyber incident (i.e., detection, response and recovery), as well as data breach response plans, and test those plans annually with tabletop exercises.
Mobile Security: We deploy controls to prevent loss of data through mobile devices.
Security Standards: Our program leverages security standards such as HIPAA, HITRUST, NIST CSF, ISO 27001, and PCI DSS.
Insurance: We maintain a cybersecurity insurance program with established and respected insurance companies.
67


Governance
Our Nominating, Compliance, and Corporate Governance Committee is responsible for overseeing the Company’s information security risk management, including cybersecurity, data privacy, and other information technology risks, controls and procedures, and the Company’s plans to mitigate cybersecurity risks and to respond to data breaches. The Company’s Senior Director of Information Security, who has more than a decade of experience in IT and cybersecurity-related roles, assists in assessing the Company’s cybersecurity risks and has the relevant expertise necessary for such assessment. Pursuant to the Company’s internal policies, executive management team members, which may include the General Counsel, Chief Financial Officer, and Chief Information Officer, are briefed on cybersecurity trends, potential risks, ways to improve the Company’s risk posture, as well as changes to the legal and regulatory landscape relative to cybersecurity and data privacy. Consistent with our internal policies, our executive team is responsible for apprising the Nominating, Compliance, and Corporate Governance Committee of cybersecurity incidents consistent with our incident response plan.