CONMED Corp - (CNMD)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We take an active role in ensuring the confidentiality, integrity, and availability of data, systems, processes, applications, and products. We are diligent when it comes to safeguarding the data of our strategic partners, employees, existing and future customers, and our teams throughout the globe. We take the protection of proprietary information, intellectual property, and sensitive information seriously, making it our commitment to provide comprehensive prevention, detection, and response capabilities, in order to maintain integrity.
We manage cyber risk and assess internal maturity capabilities by leveraging the National Institute of Standards and Technology (NIST) framework, in conjunction with the Center for Internet Security (CIS) top 18 risk framework. Internal and external assessments are conducted for best practice benchmarking. Outputs from these assessments are used to develop strategic priorities, and to develop tactical action plans to continue to mature our cyber posture. CONMED leverages technologies, external consultants and vendors to support our risk management strategies, threat insights, trends, and mitigation approaches. In addition, CONMED has published corporate policies that support our cybersecurity efforts, such as our employee handbook, and has proactively implemented protection measures such as endpoint encryption, endpoint monitoring (EDR), remote access, VPN, and multi-factor authentication. Policies and procedures must go through a controlled review process by senior management to ensure relevant updates are being incorporated in our policies.
The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our executive management team along with our Chief Information Security Officer (CISO) are responsible for managing cybersecurity risk, including assessing cyber maturity and development of short and long-term strategies. Our CISO has extensive leadership and experience within the cybersecurity space. We invest in the growth and development of our security team's expertise through hands-on training, technical industry
19
certifications and security domain specific conferences. Security is approached as a unified company strategy, where everyone in the organization plays a key role in the success of our programs. Through required phishing training and awareness campaigns, policy and procedures training, and periodic multi-level tabletop exercise scenarios, we continue to improve identification, reporting, response, recovery, and prevention of threats. We engage in penetration testing, provided by external entities to ensure our internal processes and controls are validated.
We continue to invest in IT Security to improve technical capabilities, streamline response effectiveness, and harden preventive, detection, and response measures, while growing the core security organization to support business growth efforts.
We build our security program with the intent of a global reach and a global customer base at the top of our minds. Cybersecurity risk factors are evaluated, prioritized, and connected to annual strategic priorities. Strategic priorities are comprised of critical cybersecurity efforts in an ongoing effort to mitigate internal or external risks factors, and drive maturity objectives. We have developed and continue to develop strategic and tactical cyber capabilities to provide a modern approach to protecting the partnerships we have built our business around. This is, and will continue to be, an ongoing effort to provide and implement cyber best practices. Our Audit Committee is briefed semi-annually by our management team to provide awareness around IT environmental risk factors, cyber posture, global threat landscape, and changing regulatory requirements. Decisions are then made based on all assessed risk factors, including cyber maturity growth, strategic personnel, and appropriate cyber capability. All critical response activities are assessed and communicated from executive management to the Audit Committee which then reports to the Board of Directors.
During the fiscal year ended December 31, 2023 and through the date of the filing of this Form 10-K, the Company has not identified any specific risks from cybersecurity threats that have materially affected, or are reasonably likely to affect, the Company’s business strategy, results of operations, or financial condition.