ZIMMER BIOMET HOLDINGS, INC. - (ZBH)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We have established a cybersecurity program intended to protect the confidentiality, integrity and availability of our systems, data and products in a manner consistent with industry best practices and the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We are currently ISO 27001 certified for our surgery planning ecosystem and plan to continue to maintain this industry certification. We evaluate and monitor cybersecurity risk as part of our overall enterprise risk management framework. Our cybersecurity program includes a variety of processes to assess, identify and manage risks from cybersecurity threats arising from our own and third-party provided systems, including customized annual training requirements, simulation exercises, threat monitoring and detection tools (including those using artificial intelligence and machine learning), threat containment methods, risk assessments, third-party penetration testing and security requirements for our suppliers and other third parties. We assess third party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addenda to our contracts where applicable. We maintain separation of duties between our cybersecurity organization and other IT functional areas as well as established roles that define the responsibility of the cybersecurity team within our organization.

Under our program, cybersecurity issues are analyzed by subject matter experts, including those in information security, information technology, risk, and other areas to evaluate potential security, financial, operational, reputational and other risks, as well as to identify any potential data breaches or other cybersecurity incidents. Matters involving potential data breaches and other cybersecurity incidents are considered against applicable escalation and notification requirements. We monitor and periodically enhance our cybersecurity program, processes, techniques and procedures to combat evolving and adaptive cybersecurity threats.

We engage third parties to enhance and strengthen our cybersecurity program, to provide additional capabilities and support and to provide annual independent assessments and evaluations of our cybersecurity program. Third parties also provide managed services for security operations, incident response, vulnerability remediation consulting, security remediation services, patching, and external audit services.

Like other large multi-national corporations, we regularly experience cybersecurity incidents, and we expect to continue to be subject to such incidents. To date, there have not been any previous cybersecurity incidents that materially affected us. However, we are subject to ongoing risks from cybersecurity threats that could materially affect us, including our business strategy, results of operations, or financial condition, as further described in Item 1A. Risk Factors - We are dependent on sophisticated information technology and if we fail to effectively maintain or protect our information systems or data, including from data breaches and cybersecurity events, our business could be adversely affected.

Governance

The Audit Committee of the Board of Directors oversees our cybersecurity program. It considers cybersecurity risk individually and within our overall risk management framework. We obtain periodic assessments of our cybersecurity program from independent third party experts, the results of which assessments are reported to the Audit Committee. Additionally, cybersecurity threats and incidents determined through our cybersecurity program to present potential material impacts to our financial results, operations, and/or reputation are required to be immediately reported to the Audit Committee in accordance with our escalation framework.

Our Chief Information Security Officer (“CISO”) leads our cybersecurity program through our global information security operations team. Our CISO has over 20 years of experience in information technology security obtained in civilian and military roles, and regularly reports on cybersecurity matters to our Audit Committee. As of December 31, 2023, our Cybersecurity, Risk and Compliance team consisted of team members and contractors, many of whom

25


 

have advanced degrees and cybersecurity-related industry certifications. Under the direction of our CISO, we monitor developments that could affect our long-term organizational cybersecurity strategy based on threats globally and to continually enhance our cybersecurity program in response to such developments.

We have established processes providing for timely review of cybersecurity incidents by a cross-functional subcommittee of our Disclosure Committee to evaluate such incidents for potential disclosure, and to ensure that the members of management responsible for overseeing the operation of our disclosure controls and procedures are informed of such cybersecurity risks and incidents. This subcommittee consists of leading representatives from our information security, accounting, legal and internal audit functions and may be supplemented by other subject matter experts depending on the nature of cybersecurity incidents under review. The subcommittee meets on a periodic and ad hoc basis to receive reports about cybersecurity incidents and our cybersecurity program. The subcommittee escalates certain cybersecurity incidents to the Disclosure Committee within our escalation framework. Additionally, our escalation framework requires that any cybersecurity incidents determined to be material be immediately reported to the Audit Committee.