Sotera Health Co - (SHC)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
We rely on information technology (“IT”) systems to conduct business, including but not limited to, interacting with customers and suppliers, fulfilling orders, generating invoices, collecting and making payments, fulfilling contractual obligations, communicating with internal and external stakeholders, and maintaining our business and financial records. In addition, we rely on networks and services, including internet sites, cloud and software-as-a-service solutions, data hosting and processing facilities and tools and other hardware, software and technical applications and platforms, some of which are managed, hosted, provided and/or used by third-parties or their vendors. As a result, the Company is subject to various risks related to vulnerabilities, threats and attacks on these IT systems. See Item 1A, “Risks Related to the Company – “Our business may be subject to system interruptions, cyber security breaches and unauthorized data disclosures.” under Item 1A. Risk Factors for additional discussion of these risks.
Cybersecurity Risk Management and Strategy
Identifying and assessing cybersecurity risk is fully integrated into our overall risk management systems and processes. The Company is committed to developing and maintaining cybersecurity processes that protect the confidentiality, integrity and availability of Company, employee, customer and partner information against a growing number of increasingly sophisticated cybersecurity threats and threat actors. Our cybersecurity program is designed to protect our infrastructure from potential threats, to allow us to assess, identify and manage material risks from cybersecurity threats and to endeavor to secure the integrity of our data systems using techniques, hardware, and software typical of companies of our size and scope, which are described further below. For example, we leverage the National Institute of Standards and Technology Cybersecurity Framework’s (“NIST CSF”) principles in developing our cybersecurity program to monitor our security environment and manage risk.
The Company has adopted a risk-based strategy designed to achieve a targeted and cost-effective approach to managing cybersecurity risks that strengthens our abilities to prevent, detect, and respond to cyber-attacks, breaches, or threats. The Company has configured its IT environment, where possible, to restrict access using a least privileged methodology. We use various technologies and monitoring capabilities to detect anomalies and track information and assets. We have implemented a cybersecurity awareness program consisting of frequent training, phishing exercises, and bulletins regarding pertinent cybersecurity developments. We maintain and regularly update incident response, disaster recovery and business continuity plans and procedures. Our IT specialists subscribe to threat intelligence feeds and are members of cybersecurity-related associations such as the Information Systems Audit and Control Association , the Computing Technology Industry Association and the Cloud Security Alliance. We also retain independent experts to assess our cybersecurity programs and the potential vulnerabilities of our IT systems to unauthorized access and other intrusions. We also maintain insurance coverage for cyber and data security risks of an amount and subject to conditions and exceptions that we believe are customary for companies like ours, but there can be no assurance that our levels of coverage are adequate or that we will be able to continue to maintain our existing insurance or obtain comparable insurance at a reasonable cost.
Material risks
Although we believe that our resiliency planning and security controls are appropriate to our exposures to system outages, service interruptions, security incidents and breaches, our information technology systems remain vulnerable to attacks by increasingly sophisticated actors who attempt to cause harm to, or otherwise interfere with, the normal use of our systems. Like other companies with international operations, we have been subjected to targeted and non-targeted attacks and other cyber incidents and continue to face numerous cybersecurity threats on a regular basis, including regular attempts to penetrate our information technology infrastructure and breaches of our security systems by our employees, both accidental and intentional. Our suppliers, contractors, service providers, and other third parties with whom we do business also experience cyber threats and attacks that are similar in frequency and sophistication. Moreover, in many cases, the Company relies on controls put in place by our suppliers, contractors, service providers, and other third parties to defend against and otherwise respond to cyber threats and attacks, which may prove insufficient.
Our technology systems and infrastructure are also potentially vulnerable to computer viruses, breakdowns or other interruptions caused by fires, natural disasters, losses of power, system malfunctions or other disruptions. IT security breaches by third parties who are able to penetrate our systems without authorization or data privacy breaches by employees or others with authorized access pose the risk that sensitive data may be exposed to unauthorized persons or the public, rendered inaccessible or permanently lost. The increasing use and evolution of technology creates additional opportunities for the intentional or unintentional dissemination or destruction of confidential or proprietary information stored in our systems or portable media or storage devices. We may also experience business interruptions (including, but not limited to, the partial or complete shutdown of one or more of our facilities), thefts of information or reputational damage from industrial or nation-state espionage attacks, ransomware, other malware or other cyber incidents or data breaches, which may compromise our system
45
infrastructure or lead to data breaches, either internally or at our third-party providers or other business partners. Such incidents could compromise our trade secrets or other confidential information and result in such information being disclosed to third parties and becoming less valuable. Additionally, many of our employees continue to work remotely either part-time or full-time, which may increase the risk of data breaches or other types of cyber incidents.
The Company has not experienced any material cybersecurity incidents that caused us to incur any material expenses or materially affected our business, results of operations or financial condition, but we cannot assure that our business, results of operations and financial condition will not be materially affected in the future by cybersecurity risks or future incidents. Breaches in IT security, system interruptions and unauthorized disclosures of data, whether perceived or actual, could adversely affect our business, assets, revenues, results of operations, brands and reputation and result in fines, litigation, regulatory proceedings and investigations, increased insurance premiums, remediation efforts, indemnification expenditures, lost revenues and other potential liabilities. Although we have taken and will continue to take significant steps to protect the security and integrity of our information and although we have implemented policies and procedures to enhance data privacy and security, there can be no assurance that our efforts will prevent breakdowns, system failures, breaches of our systems or other cyber incidents or otherwise be fully effective. Any such breakdown, breach or incident could adversely affect our business, prospects, financial condition or results of operations, and any insurance that we may have for cyber incidents may not cover such risks or be sufficient to compensate us for losses that may occur.
Cybersecurity Governance
Our Chief Information Officer (“CIO”) is responsible for assessing and managing cybersecurity risks in collaboration with the Senior Director of IT Governance, Service Delivery and the Senior Director of Global Infrastructure, and Senior Information Security Architect, who manage our day-to-day cybersecurity-related matters and keep abreast of cybersecurity news, events and incidents through regular course monitoring and updates. These individuals average over 25 years of professional experience in various roles across multiple industries involving managing information security, developing cyber security strategy, implementing cybersecurity programs, and managing multiple industry and regulatory compliance environments (including over 15 years of collective experience working for public companies in similar roles prior to joining the Company). Our Senior Information Security Architect has several information technology-related certifications, including as a Certified Information Systems Security Professional (“CISSP”).
When detected, suspected cybersecurity threats are escalated to the CIO and incident response team. The CIO then creates a Cybersecurity Incident Response Team (“CSIRT”) which, depending on the incident, comprises the incident coordinator, cybersecurity staff, legal counsel and other stakeholders as appropriate. The CSIRT investigates and manages the impact of cybersecurity incidents in accordance with our security incident response procedures. The incident response plan provides for our CIO and our CIO’s team to work closely with our Chief Financial Officer, General Counsel and other key stakeholders, as appropriate, to assess the materiality of the incident and any impact to the Company’s operations or financial position. Pursuant to the incident response plan and the Company’s Disclosure Controls and Procedures, potentially material cyber incidents are escalated to the Company’s Disclosure Committee to evaluate, in consultation with the Chair of the Audit Committee of our Board of Directors as needed, whether an incident is required to be reported on a Form 8-K.
Our Board and the Board’s Audit Committee oversee the Company’s enterprise risk management (“ERM”) program, including the Company’s assessments of cybersecurity risks and exposures and the Company’s processes to safeguard assets and manage material cybersecurity risks. On an annual basis, the Board reviews the Company’s principal current and future risk exposures, including cybersecurity risks and exposures. The Audit Committee bears principal responsibility for overseeing the Company’s major financial risk and enterprise exposures and the steps management has taken to monitor and control such exposures, including an annual session with our CIO on the Company’s procedures and policies for assessing and managing cybersecurity risks and disclosing any material cybersecurity incidents. In performing these oversight functions, the Board and Audit Committee rely on advice, reports and opinions of management, counsel and our internal and external auditors, including mid-year and year-end cyber inquiries by our external auditors on various aspects of the Company’s cybersecurity program, processes and training.
Use of Independent Experts
The Company engaged an independent expert to conduct annual external and internal penetration tests beginning in the fourth quarter of 2021 and to assess our cybersecurity program against the NIST CSF in late 2022. We plan to continue to engage independent experts to periodically test our cybersecurity policies for their effectiveness.
46