ALIGN TECHNOLOGY INC - (ALGN)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.

We have implemented a cross-departmental approach to managing cybersecurity risk, which includes seeking input from our employees, management, third-party vendors, the Audit Committee of the Board of Directors (the “Audit Committee”), and the Board of Directors. We devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and response. To more effectively address cybersecurity threats, we have a dedicated Chief Information Security Officer (“CISO”) who is responsible for leading enterprise-wide information security strategy, policy, process, and technology. Our current CISO has 20+ years of information security and risk management experience and holds a Certified Information Systems Security Professional (CISSP) certification. Our CISO regularly briefs our Audit Committee on our cybersecurity and information security program and cybersecurity incidents deemed to pose a risk of a critical business impact or reputational harm. Our cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. Our information security team, comprised of employees with an expertise in cybersecurity and information technology, regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection, and response.

Our information security program includes, among other things, cybersecurity incident response, vulnerability management, antivirus and malware protection, technology compliance and risk management, encryption, identity and access management, application security, and security monitoring. The program also has an information security awareness program, which includes annual training regarding our acceptable use and information classification and handling policies, regular phishing campaigns complemented by additional employee training as appropriate, and communications and companion trainings to keep our users informed on current events.

The information security program’s ultimate goal is preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. In the event of an identified cybersecurity incident, we have developed a detailed cybersecurity incident response process, which outlines the steps to be followed from incident detection, analysis, containment, eradication, recovery, and notification, including notifying functional areas (e.g. information technology, legal, finance, operations, privacy), as well as senior leadership and the Audit Committee, as appropriate. For critical cybersecurity incidents, processes have been established for our legal team to determine the materiality of each incident.

Our information security team engages third-party services to conduct evaluations of our security controls, including penetration testing and independent audits. Annually, an external auditor conducts a System and Organization Controls (“SOC”) type 2 audit covering the security principle for systems supporting our products.

Our assessment of risks associated with the use of third-party vendors is part of our overall cybersecurity risk management framework. If a third-party vendor is unable to provide a SOC 1 or SOC 2 report, our information security team takes additional steps to assess their cybersecurity preparedness and our initiation or continued engagement with them. Additionally, third-party vendors are required to include security and privacy addendums to our contracts where applicable and are reassessed periodically as necessary depending on the risk level that has been assigned to the third-party vendor. Our legal team also requires that our third-party vendors report cybersecurity incidents to us so the impact of the incident on us can be assessed.

Our Audit Committee is responsible for reviewing cybersecurity risks and our cybersecurity program. It oversees and reviews our cybersecurity and other information technology risks, controls, policies, and procedures. Our information security team annually performs a cybersecurity enterprise risk assessment and presents the results to management and the Audit Committee. The Audit Committee periodically reports on its review of cybersecurity risks and our cybersecurity program to our Board of Directors. In 2023, our CISO or his team met with the Audit Committee four times to discuss cybersecurity risks and threats.

We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Notwithstanding the approach we take to cybersecurity, we may not successfully prevent or mitigate cybersecurity incidents that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be covered or, if covered, fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
35