TELEFLEX INC - (TFX)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cyberattacks continue to evolve in sophistication and frequency. Among other things, an attack could impair our ability to interact with customers and suppliers, fulfill orders, generate invoices, collect and make payments, ship products, provide support to customers, fulfill contractual obligations and otherwise perform business functions.
Management has implemented a program (“Program”), which is part of our overall Enterprise Risk Management system, focused on the assessment, identification, and management of material risks resulting from cybersecurity threats. The Program was developed and is managed by our Vice President of Information Security and Privacy (CISSP, CISM and CISA) with oversight from the Chief Information Officer. Both leaders collectively have over 50 years of technology risk and cybersecurity work experience supporting multiple life science organizations.
Industry standard frameworks including International Organization of Standardization (ISO)/27001 and National Institute of Standards and Technology (NIST) are the foundation of the Program, which includes but is not limited to the fundamental security principles of least privilege access, event monitoring, vulnerability management, education, third-party risk management and incident response. The Program leverages external subject-matter experts that assist with identifying and remediating security risks present in our environment through threat hunting and vulnerability/control testing with a focus on the latest attack vectors. These external experts bring to bear risk mitigation tactics based on current threats observed across multiple organizations with similar risk profiles.
Key Program activities include:
Annual risk assessment to evaluate our profile against cyber risk threats;
Global policies based on the guiding principles of security by design and least-privilege access;
Maintenance of a critical incident response plan and simulation programs, which include procedures to comply with material security incident reporting requirements in collaboration with key members of Executive Management;
A communication framework designed to ensure that the individuals managing the Program are informed about, and in position to monitor the prevention, detection, mitigation, and remediation of, cybersecurity incidents;
Internal and external security assessments and testing to determine our susceptibility to compromise, lateral movement, privilege escalation and overall cybersecurity internal control posture;
Routine phishing simulations to identify areas for control enhancement and additional training;
Periodic end-user security training and cyber-threat awareness;
Suite of tools and processes to minimize the risk of security compromise in addition to detect controls alerting of potential malicious activity; and
Review and approval process focused on evaluating cybersecurity posture and internal controls relating to third party service providers.
The Audit Committee of the Board of Directors receives an update from the members of management referenced above on our security posture on at least an annual basis, and more often as needed. The Audit Committee provides oversight as to the status of our cybersecurity apparatus and overall Program management (including with respect to the identification and implementation of planned security enhancements), while also advising on risk mitigation activities to address the latest threats.
To date, we have not experienced any known cybersecurity incidents that have materially affected or are reasonably likely to materially affect us in the future, including our business strategy, results of operations, or financial condition.