INTEGRA LIFESCIENCES HOLDINGS CORP - (IART)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Information Technology and Cybersecurity
Our business relies on the secure electronic transmission, storage and hosting of sensitive information, including personal information, financial information, intellectual property, and other sensitive information related to our customers and workforce. Given the importance of cybersecurity to our business, we maintain a comprehensive information technology and cybersecurity program to increase both the effectiveness of our systems and our preparedness for cybersecurity risks, including security monitoring for internal and external threats to bolster the confidentiality, integrity and availability of our information assets. We regularly perform evaluations of our cybersecurity program, including periodic internal and external audits, penetration tests and incident response simulations, and our information technology infrastructure and cybersecurity management system are subject to external program assessments on a regular basis. In 2017, we adopted the National Institute
32
of Standards and Technology Cybersecurity Framework (NIST CSF) to bolster our cybersecurity management system and reduce cybersecurity risks.
We engage multiple independent third-party cybersecurity services and consulting firms to review our cybersecurity program and we have entered into partnerships with entities such as the Health Information Sharing and Analysis Center, the Cybersecurity & Infrastructure Security Agency, InfraGard, the Department of Homeland Security, the Cyber Fraud Task Forces and the Center for Internet Security to complement our program and bolster our data protection and privacy efforts. To monitor and minimize the risks from cybersecurity threats associated with our use of third-party service providers, we require the completion of standardized information gathering questionnaires from service providers prior to entering any engagement for services. Further, we utilize security ratings from industry-recognized sources to provide an external analysis of such third-party service providers. We work closely with these industry-recognized sources to interpret the security ratings results in the context of the specific characteristics of our information technology and cybersecurity systems, which helps inform our assessment of the efficacy and reliability of the third-party vendors we use. We also conduct periodic internal reviews of the performance and reliability of the third-parties we have engaged for cybersecurity services.
Management and Board Oversight
The Board has overall responsibility for the oversight of risk management at the Company, which includes overseeing our process for identifying, assessing and mitigating significant financial, operational, strategic, cybersecurity and other risks that may affect the Company. Our Chief Information Officer, or CIO, leads our cybersecurity program and our Director, Cybersecurity leads our cybersecurity team. Our CIO provides periodic reports relating to cybersecurity matters to the Board, as well as our Chief Executive Officer and other members of our senior management, as appropriate. Our executive leadership team and Board provide principal oversight and guidance of our cybersecurity risk management programs and processes. We have established a cybersecurity executive steering committee to review and discuss cybersecurity issues and review our security metrics. The committee is comprised of a cross-functional group of senior executives, including our Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Information Officer and Director, Cybersecurity, and is responsible for the implementation and oversight of the processes and systems we use to assess and manage risk from cybersecurity threats as well as cybersecurity incidents. Our CIO and committee members have significant work experience related to cybersecurity issues or oversight and members of our cybersecurity team hold vendor-neutral and vendor-specific certifications from organizations such as the Information Systems Audit and Control Association (ISACA), the Computing Technology Industry Association (CTIA) and the International Information System Security Certification Consortium (ISC2). In addition, we require all new employees to complete cybersecurity training so they are better able to understand how to identify, protect, and preserve sensitive data and minimize risks related to cybersecurity matters. We supplement this new hire training with annual training and certification programs, which includes social engineering simulations. We continue to expand and improve our global training programs to raise employee awareness of security obligations and members of senior management regularly provide employees with communications regarding the cybersecurity environment to increase employee awareness of cybersecurity trends and emerging risks.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
Our monitoring capabilities, including our internal auditing procedures, internal control over financial reporting and corporate compliance programs, are designed in part to inform management about our material risks, including those related to cybersecurity risks. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of our information assets, and our risk management systems, we maintain a regularly tested incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery or data and access to systems, analyzing the reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program improvements. Although the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the team is generally led by the CIO or another member of the cybersecurity executive steering committee and will include other information technology and legal personnel. In the event of a potentially material incident, the incident response team regularly reports to both the Company’s Board and members of senior management, including the Chief Executive Officer, Chief Financial Officer and Chief Legal Officer to assist in making determinations regarding applicable SEC reporting requirements.
In addition, our Board receives regular reports from management on matters relating to strategic and operational initiatives, financial performance, cybersecurity and legal developments. The Company’s Enterprise Risk Management program, which has been adopted by the Company to further enhance oversight of risks inherent to our business and allow members of the Board and management to gain a greater understanding of the efforts being undertaken to manage the risks confronting the Company, covers cybersecurity risks.
Our management believes that our current systems and practice of implementing regular updates positions us well to support current needs and future growth. We use a strategic information systems multi-year planning process that involves senior management and is integrated into our overall business planning. Information systems projects are prioritized based upon strategic, financial, regulatory, risk and other business advantage criteria.
33
Cybersecurity Risks
As of December 31, 2023, we have not had any material cybersecurity incidents. However, we face risks associated with cybersecurity incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts or other scams. Although we make efforts to maintain the security and integrity of our networks and systems, and the proprietary, confidential and personal information that resides on or is transmitted through them, and we have implemented various cybersecurity policies and procedures to manage the risk of a security incident or disruption, there can be no assurance that our security efforts and measures will be effective or that attempted security incidents or disruptions would not be successful or damaging. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident. See “Risk Factors–Risks Related to Cybersecurity and Data Privacy—Cyber-attacks or other disruptions to our information technology systems could adversely affect our business” and “—Failure to comply with laws relating to the confidentiality of sensitive personal information or standards related to the transmission of electronic health data, may require us to make significant changes to our products, or incur penalties or other liabilities."