REVVITY, INC. - (RVTY)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity Disclosures
We have developed and maintain a Material Cyber Incident Disclosure Program. The program includes processes for the identification, review and assessment of materiality of cyber events, notification of our senior leadership and Board of Directors of such events, and financial reporting disclosure where applicable. As part of the program, we also engage in due diligence regarding the cybersecurity capabilities of our current and potential third-party vendors in accordance with industry best practices. Under the program, all material cyber incidents will be reported to our Board of Directors. The program is led by our Cyber Event Disclosure Committee, which includes members of our Information Security, Corporate Legal, External Reporting and Enterprise Risk Management teams. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Our Internal Audit team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. For all critical third party service provides, we perform a review of the vendor's System and Organization Controls (SOC), which is referred to as a SOC 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to understand and mitigate any additional risks. Our assessment of risks associated with use of third-party providers is part of our overall risk management framework.
The Company’s Chief Information Officer is responsible for developing and implementing our information security program. Our Information Security team monitors our exposure to external cybersecurity threats, leveraging automated tools and manual processes to ensure cybersecurity risk is effectively mitigated on a continuous basis. When a specific incident has been identified, the Information Security team leverages our Cyber Incident Response Plan in conjunction with established Information Security policies to begin assessment of the incident. Depending on the type and/or severity of the incident, our Information Security team will determine (in compliance with our Cyber Incident Response Plan) whether third party expertise or consultation is necessary. If such expertise or consultation is determined to be necessary, our Information Security and Corporate Legal teams will engage with third-party experts. As part of its review of incidents, our Information Security team considers the risk exposure, potential impact, severity and implications with respect to our information technology systems. Our Information Security team is responsible for escalating incidents which are determined to be higher risk to our Cyber Event Disclosure Committee. The Cyber Event Disclosure Committee will work with our General Counsel to determine the materiality of the incident and any required disclosure. When an incident is determined to be material and is required to be disclosed, the Cyber Event Disclosure Committee will notify our senior leadership and our Board of Directors through the Audit Committee of our Board of Directors. The Cyber Event Disclosure Committee will collaborate with our Corporate Legal and Financial Reporting teams to develop any required Form 8-K Item 1.05 disclosure.
The oversight, monitoring, and testing of the program occurs under our Sarbanes-Oxley entity-level control reviews and the program is integrated into our Enterprise Risk Management processes. The Cyber Event Disclosure Committee convenes, at least monthly, to review recent developments in cybersecurity and in the cybersecurity risk landscape. The Cyber Event Disclosure Committee is comprised of representatives with relevant expertise for assessing and managing the applicable risks. Our Board of Directors is presented with updates on an annual, or as needed, basis regarding our cybersecurity preparedness. Additionally, our Board of Directors is provided with a comprehensive cyber training from our Chief Information Security Officer at least annually. Our Board of Directors annually reviews our cybersecurity program and the Audit Committee of our Board of Directors is specifically responsible for oversight of cybersecurity risk, which it regularly reviews with Company leadership.
21


We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition.