WATERS CORP /DE/ - (WAT)

10-K Filing Date: February 27, 2024
Item 1C: Cybersecurity

We maintain a robust system of data protection and cybersecurity resources, technology and processes. We regularly evaluate new and emerging risks and ever-changing legal and compliance requirements. We make

 

27


strategic investments to address these risks and legal and compliance requirements to keep Company, customer and employee data secure. We monitor risks of sensitive information compromise at our business partners where relevant and reevaluate these risks on a periodic basis. We also perform annual and ongoing cybersecurity training and awareness for our employees.

We have a longstanding information security risk management framework structured according to the National Institute of Standards and Technology Cybersecurity Framework, industry best practices, privacy legislation, and other global and local standards and regulations. This risk management framework is under the specific oversight of the Company’s Vice President and Chief Information Officer (the “CIO”) and includes a defense-in-depth approach with multiple layers of security controls, including network segmentation, security monitoring, endpoint protection, and identity and access management, as well as data protection best practices and data loss prevention controls. Our Audit and Finance Committee is updated on the overall performance of our information security risk management framework on an annual basis by the CIO.

Our cybersecurity awareness program includes regular phishing simulations, annual general cybersecurity awareness, and data protection modules, as well as more contextual and personalized modules for targeted users and roles. We also perform simulations and drills at both a technical and leadership level at least annually. We incorporate external expertise and guidance in all aspects of our cybersecurity program. We complete annual internal security audits and vulnerability assessments of the Company’s information systems and related controls, including systems affecting personal data. In addition, we leverage cybersecurity specialists to complete annual external audits and objective assessments of our cybersecurity program and practices, including our data protection practices, as well as to conduct targeted attack simulations. We continually enhance our information security capabilities in order to protect against emerging threats, while also increasing our ability to detect and respond to cyber incidents and maximize our resilience to recover from potential cyber-attacks. We have a robust incident response plan in place that provides a documented playbook for responding to cybersecurity incidents and facilitates coordination across multiple parts of our Company. Additionally, we have purchased network security and cyber liability insurance in order to provide a level of financial protection, should a data breach occur.

Despite the existence of mitigation measures, the Company’s systems and those of its partners remain potentially vulnerable to cybersecurity threats, any of which could have a material adverse effect on the Company’s business. To date, cybersecurity incidents have not resulted in a material adverse impact to the Company’s business strategy, results of operations and financial condition, but future incidents could have such an impact. See Item 1A, Risk Factors - Risks Related to Cybersecurity.

The Board of Directors oversees the Company’s information security risk management framework that seeks to identify new risks, develop and implement risk mitigation plans, and monitor the results affecting the Company’s business and operations on an ongoing basis. The CIO manages this framework, in collaboration with the Company’s businesses and functions. The CIO presents updates to the Audit and Finance Committee at least annually and, as necessary, to the full Board of Directors. These reports include detailed updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The CIO also promptly informs and updates the Board of Directors about any information security incidents that may pose significant risk to the Company. The Company’s program is periodically evaluated by external experts, and the results of those reviews are reported to the Audit and Finance Committee and the Board of Directors. Together with management, the Audit and Finance Committee reviews the Company’s risk assessment and risk management practices and discusses major cybersecurity risk exposures as well as steps taken by management to monitor and control such exposures.

The Company’s Vice President and Chief Information Officer has over 24 years of business experience managing risks from cybersecurity threats/developing and implementing cybersecurity policies and procedures, as well as several relevant certifications.

 

28