ARTIVION, INC. - (AORT)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have established cybersecurity measures, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
38

Our enterprise risk management framework assesses cybersecurity threats alongside other company risks as part of our overall risk assessment process. This approach involves collaboration between enterprise risk professionals and subject matter experts to identify and assess material cybersecurity threat risks, their severity, and potential mitigations. We leverage various tools and services, including network monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to enhance our risk identification and assessment capabilities.
Our cybersecurity-specific risk assessment process, benchmarks our practices against standards set by the National Institute of Standards and Technology (“NIST”), International Organization for Standardization (“ISO”), and the Center for Internet Security (“CIS”), and includes expert-led penetration tests to evaluate the security of our information systems, as such term is defined in Item 106(a) of Regulation S-K.
To safeguard critical data and systems, ensure regulatory compliance, manage our material risks from cybersecurity threats, and address potential cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we:
Monitor emerging data protection laws and adjust our processes and procedures as required or appropriate;
Provide periodic, but no less than, annual training on cybersecurity, data privacy, and data handling to all employees and contractors with access to our systems;
Conduct periodic, but no less than, annual cybersecurity management and incident response training for relevant personnel, utilizing Knowbe4 resources;
Implement regular phishing simulations and processes for reporting phishing to enhance staff awareness and responsiveness;
Mandate that both employees and service providers treat sensitive data with utmost care, enforced through policies, practices, and contracts;
Contract with independent cybersecurity providers to assist with tabletop exercises periodically to refine our response strategies to cybersecurity incidents;
Employ the NIST incident handling framework for identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents; and
Maintain cybersecurity risk insurance to mitigate potential financial losses from incidents.
Our incident response plan outlines our approach to preparing for, detecting, responding to, and recovering from cybersecurity incidents, including severity assessment, containment, investigation, and remediation processes.
Our cybersecurity efforts involve regular engagement with external assessors, consultants, and auditors, including periodic reviews by an independent qualified security assessor to identify areas for improvement and ensure compliance, as well as assessments and audits by our insurer and our external auditing firm.
We address cybersecurity risks related to third-party service providers by incorporating these risks into our enterprise risk management and cybersecurity-specific risk assessment programs. We conduct thorough due diligence on third parties with access to our systems or data and require them to adhere to specified cybersecurity standards and audits.
The potential impact of cybersecurity threats on our business strategy, operations, and financial condition is discussed under specific headings in our risk factor disclosures at Item 1A and in the Management’s Discussion and Analysis of Financial Condition and Results of Operations at Item 7 of this Annual Report on Form 10-K.
We are not aware of any cybersecurity threats or cybersecurity incidents that have or would be reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. This includes penalties and settlements, of which there were none.
Governance
Cybersecurity is integral to our overall risk management strategy, and an area of increasing focus for our Board and management. The Audit Committee, and where applicable, the entire Board, are involved in overseeing cybersecurity risks. They receive quarterly and bi-annual updates, respectively, from management on our cybersecurity threat risk management and strategy processes. These updates cover various cybersecurity topics, including data security posture, third-party assessment results, progress on risk mitigation goals, incident response plans, and material cybersecurity threat risks or incidents. The Board and Audit Committee also have discussions with our global head of Information Technology and engage in separate meetings to consider cybersecurity risks in the context of broader corporate matters.
39

Our cybersecurity risk management and strategy processes are led by our global head of Information Technology who reports directly to our Chief Financial Officer. Our information technology and cybersecurity team has over 33 years of collective experience in information security and cybersecurity strategy, with various roles in significant organizations. Team members hold numerous degrees and certifications, including certifications as a Certified Information Security Manager, Certified Information Systems Security Professional, Certified Ethical Hacker, Certified Penetration Tester, among others.
The global head of Information Technology is part of our operating team and ensures that management is well-informed about preventing, mitigating, detecting, and remediating cybersecurity incidents. This role involves managing our comprehensive cybersecurity risk management and strategy processes and overseeing the operation of our incident response plan.
In conclusion, our global head of Information Technology regularly updates the Audit Committee and the Board of Directors on cybersecurity threat risks and related matters, ensuring a proactive and informed approach to managing cybersecurity within our organization.