Veralto Corp - (VLTO)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy
The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents.

The Company’s cybersecurity program and policies articulate the expectations and requirements with respect to acceptable use, risk management, data privacy, education and awareness, security incident management and reporting, identity and access management, vendor due diligence, security (with respect to physical assets, products, networks, and systems), security monitoring and vulnerability identification. The cybersecurity program and policies are operated by a dedicated cybersecurity operations team. The program and policies are aligned with the Company’s enterprise risk management program.
The Company’s cyber risk management program identifies, tracks, escalates, remediates, and reports risks at the corporate level and across each operating company. These risk areas include internal, product, vendor, supply chain, and external services leveraged across the Company. These risks are assessed, prioritized, and both tactically and strategically addressed via process, technology, and personnel improvements to ensure ongoing mitigation and tracking.
The Company’s cybersecurity strategy is guided by prioritized risk, identified areas for improvement based on the National Institute for Standards and Technology (NIST) Cybersecurity Framework, and emerging business needs. This strategy is shared with the executive leadership at least annually. The Company maintains a global incident response plan, coupled with a global continuous monitoring program. This plan and program include incident alerting, comprehensive incident criticality
26


assessments, and escalation processes to support teams, senior leadership, and the Board. This escalation process also includes cross-functional materiality determinations and applicable reporting requirements.
The Company’s cybersecurity operations team manages all facets of the security monitoring and global incident program, coordinating with a sourced managed services security provider and internal analysts across our operating companies. Applicable company employees are provided cybersecurity awareness training, which includes topics on the Company’s policies and procedures for reporting potential incidents. The Company’s cybersecurity team is continuously evaluating emerging risks, regulations, and compliance matters and updating the policies and procedures accordingly.
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. The Company does not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which it is aware are reasonably likely to materially affect the Company. Refer to the risk factor captioned “Significant disruptions in, or breaches in security of, our information technology systems or data or violation of data privacy laws can adversely affect our business and financial statements” in Part I, “Item 1A. Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.
Governance
The Board oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. Pursuant to the Audit Committee Charter, the Audit Committee of the Board provides compliance oversight to the Company’s risk assessment and risk management policies, which includes cybersecurity, and the steps management has taken to monitor and mitigate such exposures and risks.
The Company’s Chief Information Security Officer (CISO), in coordination with Chief Information Officer, is responsible for leading the assessment and management of cybersecurity risks. The current CISO has over 25 years of experience in information security and is a Certified Information Systems Security Professional (CISSP). The CISO reports to the Board, the Audit Committee and management on cybersecurity risk assessment, policies, incident prevention, detection, mitigation, and remediation of cybersecurity incidents on a quarterly or as needed basis.